SV-99311r1_rule
V-88661
SRG-OS-000327-GPOS-00127
VROM-SL-001005
CAT III
10
At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid programs:
# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null
Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list:
-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged
OR
# /etc/dodscript.sh
To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs:
# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null
Run the following command to verify entries in the audit rules for all programs found with the previous command:
# grep path /etc/audit/audit.rules
It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.
V-88661
False
VROM-SL-001005
To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs:
# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null
Run the following command to verify entries in the audit rules for all programs found with the previous command:
# grep path /etc/audit/audit.rules
It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.
M
3461