SLEM 5 must generate audit records for all uses of privileged functions.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-261462	SLEM-05-654195	SV-261462r996793_rule		Medium

Description
Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

Description

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

STIG	Date
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide	2024-06-04

Details

Check Text ( C-65191r996791_chk )
Verify SLEM 5 generates an audit record for any privileged use of the "execve" system call with the following command: > sudo auditctl -l \| grep -w 'execve' -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding. If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding. Note: The "key=" value is arbitrary and can be different from the example output above.

Check Text ( C-65191r996791_chk )

Verify SLEM 5 generates an audit record for any privileged use of the "execve" system call with the following command:

> sudo auditctl -l | grep -w 'execve'
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=setgid

If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.

If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.

Note: The "key=" value is arbitrary and can be different from the example output above.

Fix Text (F-65099r996792_fix)
Configure SLEM 5 to generate an audit record for any privileged use of the "execve" system call. Add or modify the following lines in "/etc/audit/rules.d/audit.rules" file: -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid To reload the rules file, restart the audit daemon: > sudo systemctl restart auditd.service or issue the following command: > sudo augenrules --load

Fix Text (F-65099r996792_fix)

Configure SLEM 5 to generate an audit record for any privileged use of the "execve" system call.

Add or modify the following lines in "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

To reload the rules file, restart the audit daemon:

> sudo systemctl restart auditd.service

or issue the following command:

> sudo augenrules --load