4.1.13 Ensure use of privileged commands is collected

Information

Monitor privileged programs (those that have the setuid and/or setgid bit set on execution)
to determine if unprivileged users are running these commands.

Rationale:

Execution of privileged commands by non-privileged users could be an indication of
someone trying to gain unauthorized access to the system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remediate this issue, the system administrator will have to execute a find command to
locate all the privileged programs and then add an audit line for each one of them. The
audit parameters associated with this are as follows:
-F path=" $1 " - will populate each file name found through the find command and
processed by awk. -F perm=x - will write an audit record if the file is executed. -F
auid>=500 - will write a record if the user executing the command is not a privileged user. -
F auid!= 4294967295 - will ignore Daemon events
All audit records should be tagged with the identifier "privileged".
Run the following command replacing with a list of partitions where programs can be
executed from on your system:

# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk
'{print
"-a always,exit -F path=" $1 " -F perm=x -F auid>=500 -F auid!=4294967295
-k privileged" }'

Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
And add all resulting lines to the file.

Notes:

Reloading the auditd config to set active settings may require a system reboot.

See Also

https://workbench.cisecurity.org/files/2420