{"description": "\n\n\nAt a minimum, the audit system should collect the execution of privileged\ncommands for all users and root.\n\nIf the auditd daemon is configured to use the augenrules\nprogram to read audit rules during daemon startup (the default), add\na line of the following form to a file with suffix .rules\nin the directory /etc/audit/rules.d:\n-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add a line of the\nfollowing form to /etc/audit/audit.rules:\n-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged
", "rationale": "Misuse of privileged functions, either intentionally or unintentionally by\nauthorized users, or by unauthorized external entities that have compromised system accounts,\nis a serious and ongoing concern and can have significant adverse impacts on organizations.\nAuditing the use of privileged functions is one way to detect such misuse and identify\nthe risk from insider and advanced persistent threats.\n
\nPrivileged programs are subject to escalation-of-privilege attacks,\nwhich attempt to subvert their normal role of providing some necessary but\nlimited capability. As such, motivation exists to monitor these programs for\nunusual activity.", "severity": "medium", "references": {"cis-csc": ["1", "12", "13", "14", "15", "16", "2", "3", "5", "6", "7", "8", "9"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "BAI03.05", "DSS01.03", "DSS03.05", "DSS05.02", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "isa-62443-2009": ["4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1", "SR 6.2"], "iso27001-2013": ["A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.14.2.7", "A.15.2.1", "A.15.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.PT-1"], "srg": ["SRG-OS-000042-GPOS-00020", "SRG-OS-000392-GPOS-00172", "SRG-OS-000471-GPOS-00215", "SRG-APP-000499-CTR-001255", "SRG-APP-000501-CTR-001265", "SRG-APP-000502-CTR-001270"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "Verify that Ubuntu 22.04 is configured to audit the execution of the \"pt_chown\" command with the following command:\n\n$ sudo auditctl -l | grep pt_chown\n\n-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pt_chown", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to generate audit records upon successful/unsuccessful attempts to use the \"pt_chown\" command by adding or updating the following rule in \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F path=/usr/libexec/pt_chown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pt_chown\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must audit all uses of the pt_chown command.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Ensure auditd Collects Information on the Use of Privileged Commands - pt_chown", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands_pt_chown/rule.yml", "template": {"name": "audit_rules_privileged_commands", "vars": {"path": "/usr/libexec/pt_chown"}, "backends": {}}}