Ubuntu 22.04 LTS must prevent all software from executing at higher privilege levels than users executing the software and the audit system must be configured to audit the execution of privileged functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-260648	UBTU-22-654230	SV-260648r958730_rule		Medium

Description
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations. Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127

Description

In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations. Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review. Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127

STIG	Date
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-64377r953755_chk )
Verify Ubuntu 22.04 LTS audits the execution of privilege functions by auditing the "execve" system call by using the following command: $ sudo auditctl -l \| grep execve -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv If the command does not return lines that match the example or the lines are commented out, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Check Text ( C-64377r953755_chk )

Verify Ubuntu 22.04 LTS audits the execution of privilege functions by auditing the "execve" system call by using the following command:

$ sudo auditctl -l | grep execve
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv

If the command does not return lines that match the example or the lines are commented out, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Fix Text (F-64285r953756_fix)
Configure Ubuntu 22.04 LTS to audit the execution of all privileged functions. Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file: -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv To reload the rules file, issue the following command: $ sudo augenrules --load Note: The "-k " at the end of the line gives the rule a unique meaning to help during an audit investigation. The does not need to match the example above.

Fix Text (F-64285r953756_fix)

Configure Ubuntu 22.04 LTS to audit the execution of all privileged functions.

Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file:

-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv

To reload the rules file, issue the following command:

$ sudo augenrules --load

Note: The "-k " at the end of the line gives the rule a unique meaning to help during an audit investigation. The does not need to match the example above.