4.1.11 Ensure use of privileged commands is collected

Information

Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.

Notes:

Systems may have been customized to change the default UID_MIN. To confirm the UID_MIN for your system, run the following command:

# awk '/^s*UID_MIN/{print $2}' /etc/login.defs

If your systems' UID_MIN is not 500, replace audit>=500 with audit>=<UID_MIN for your system> in the Audit and Remediation procedures.

Reloading the auditd configuration to set active settings may require a system reboot.

Rationale:

Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them.
The audit parameters associated with this are as follows:

-F path=' $1 ' - will populate each file name found through the find command and processed by awk.

-F perm=x - will write an audit record if the file is executed.

-F audit>=500 - will write a record if the user executing the command is not a privileged user.

-F auid!= 4294967295 - will ignore Daemon events

All audit records should be tagged with the identifier 'privileged'.
Run the following command replacing with a list of partitions where programs can be executed from on your system:

# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print '-a always,exit -F path=' $1 ' -F perm=x -F auid>=''$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)'' -F auid!=4294967295 -k privileged' }'

Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add all resulting lines to the file.
Example:

# find / -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print '-a always,exit -F path=' $1 ' -F perm=x -F auid>=''$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)'' -F auid!=4294967295 -k privileged' }' >> /etc/audit/rules.d/10-privileged.rules

See Also

https://workbench.cisecurity.org/files/3148

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-12, CSCv7|6.2

Plugin: Unix

Control ID: 79c9d0c937702917456e0f9aae899968f0529878484a24f1ba93af76b46f98c5