The SUSE operating system must generate audit records for all uses of the privileged functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-77323	SLES-12-020240	SV-92019r1_rule		Low

Description
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152

Description

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat. Satisfies: SRG-OS-000327-GPOS-00127, SRG-OS-000337-GPOS-00129, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137, SRG-OS-000350-GPOS-00138, SRG-OS-000351-GPOS-00139, SRG-OS-000352-GPOS-00140, SRG-OS-000353-GPOS-00141, SRG-OS-000354-GPOS-00142, SRG-OS-000358-GPOS-00145, SRG-OS-000359-GPOS-00146, SRG-OS-000365-GPOS-00152

STIG	Date
SLES 12 Security Technical Implementation Guide	2019-03-12

Details

Check Text ( C-76879r1_chk )
Verify the SUSE operating system generates an audit record when privileged functions are executed. Find relevant setuid programs using the following command once for each local system partition, replacing "[PARTITION]" with each local system partition: # sudo find [PARTITION] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null Verify all of the programs found with the command above are listed in the audit file by running the following command for every program found, replacing "[FILE_PATH]" with each program to include the full path: # grep [FILE_PATH] /etc/audit/audit.rules -w [SETUID_FILE_PATH] -p wa -k privilege_function All setuid programs on the system must have a corresponding audit rule, or there must be an audit rule for the subdirectory that contains the setuid file. If any of the setuid programs/files on the system do not have an audit rule, this is a finding.

Check Text ( C-76879r1_chk )

Verify the SUSE operating system generates an audit record when privileged functions are executed.

Find relevant setuid programs using the following command once for each local system partition, replacing "[PARTITION]" with each local system partition:

# sudo find [PARTITION] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null

Verify all of the programs found with the command above are listed in the audit file by running the following command for every program found, replacing "[FILE_PATH]" with each program to include the full path:

# grep [FILE_PATH] /etc/audit/audit.rules

-w [SETUID_FILE_PATH] -p wa -k privilege_function

All setuid programs on the system must have a corresponding audit rule, or there must be an audit rule for the subdirectory that contains the setuid file.

If any of the setuid programs/files on the system do not have an audit rule, this is a finding.

Fix Text (F-83965r1_fix)
Configure the SUSE operating system to generate an audit record for all uses of privileged functions. Find relevant setuid programs using the following command once for each local system partition, replacing "[PARTITION]" with each local system partition: # sudo find [PARTITION] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null For every setuid program not covered by an audit rule for a subdirectory, add a line for each setuid program in "/etc/audit/audit.rules", replacing "[SETUID_FILE_PATH]" with the full path to the setuid program from the list above: -w [SETUID_FILE_PATH] -p wa -k privilege_function

Fix Text (F-83965r1_fix)

Configure the SUSE operating system to generate an audit record for all uses of privileged functions.

Find relevant setuid programs using the following command once for each local system partition, replacing "[PARTITION]" with each local system partition:

# sudo find [PARTITION] -xdev -type f \( -perm -4000 -o -perm -2000 \) 2>/dev/null

For every setuid program not covered by an audit rule for a subdirectory, add a line for each setuid program in "/etc/audit/audit.rules", replacing "[SETUID_FILE_PATH]" with the full path to the setuid program from the list above:

-w [SETUID_FILE_PATH] -p wa -k privilege_function