Ensure use of privileged commands is collected

Information

Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: -F path="$1 "- will populate each file name found through the find command and processed by /usr/bin/awk. -F perm=x - will write an audit record if the file is executed. -F auid>=500 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events All audit records should be tagged with the identifier "privileged". Run the following command replacing with a list of partitions where programs can be executed from on your system:

# find <partition> -xdev ( -perm -4000 -o -perm -2000 ) -type f | /usr/bin/awk '{print "-a always,exit -F path="$1 "-F perm=x -F auid>=500 -F auid!=4294967295 -k privileged"}'

Add all resulting lines to the /etc/audit/audit.rules file.

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623.html