STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:SV-219556r603263_rule
V-219556
SRG-OS-000327
OL6-00-000198
CAT III
10
At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition [PART]:
$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null
Then, for each setuid / setgid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid / setgid program in the list:
-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs:
$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null
Run the following command to verify entries in the audit rules for all programs found with the previous command:
$ sudo grep path /etc/audit/audit.rules
It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding.
V-219556
False
OL6-00-000198
To verify that auditing of privileged command use is configured, run the following command once for each local partition [PART] to find relevant setuid / setgid programs:
$ sudo find [PART] -xdev -type f -perm /6000 2>/dev/null
Run the following command to verify entries in the audit rules for all programs found with the previous command:
$ sudo grep path /etc/audit/audit.rules
It should be the case that all relevant setuid / setgid programs have a line in the audit rules. If that is not the case, this is a finding.
M
2928