The HYCU virtual appliance must audit the execution of privileged functions.

Quick Actions

We are continuing to improve Stigviewer and we are planning on rolling out new services in the near future. Would you like to be part of the conversation on what those features should be? If so, click here.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-268226	HYCU-ND-000080	SV-268226r1038378_rule		Medium

Description

Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised information system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider threats and the advanced persistent threat.

STIG	Date
HYCU Protege Security Technical Implementation Guide	2024-10-29

Details

Check Text (C-72247r1038376_chk)

Check the contents of the "/var/log/audit/audit.log" file.

HYCU also maintains Event (Audit) information in the HYCU Web UI Events menu.

Verify the audit log contains records showing when the execution of privileged functions occurred.

If the audit log is not configured or does not have the required contents, this is a finding.

Fix Text (F-72150r1038377_fix)

Configure HYCU to audit the execution of the "execve" system call.

Add or update the following file system rules to "/etc/audit/rules.d/audit.rules":
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv

-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv

Reboot the appliance to take effect.

STIG VIEWER