Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:12 [2017/05/04 16:12] (current)
Line 1: Line 1:
 +======4.1.12 Ensure use of privileged commands is collected (Scored)======
 +=====Profile Applicability=====  ​
 +<​code>​
 +Level 2 - Server
 +Level 2 - Workstation ​
 +</​code>​
  
 +=====Description=====
 +Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands.
 +
 +=====Rationale=====
 +Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system.
 +
 +=====Audit===== ​
 +Run the following command replacing <​partition>​ with a list of partitions where programs can be executed from on your system:
 +<​Code:​bash>​
 +# find <​partition>​ -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '​{print \ "-a always,exit -F path=" $1 " -F perm=x -F auid>​=1000 -F auid!=4294967295 \ -k privileged"​ }'
 +</​Code>​
 +Verify all resulting lines are in the ''/​etc/​audit/​audit.rules''​ file.
 +
 +=====Remediation===== ​
 +To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: \\
 +''​-F path=" $1 "''​ - will populate each file name found through the find command and processed by awk.  \\
 +''​-F perm=x''​ - will write an audit record if the file is executed. \\
 +''​-F auid>​=1000''​ - will write a record if the user executing the command is not a privileged user. \\
 +''​-F auid!= 4294967295''​ - will ignore Daemon events \\ \\
 +All audit records should be tagged with the identifier "​privileged"​. \\ \\ 
 +Run the following command replacing <​partition>​ with a list of partitions where programs can be executed from on your system:
 +<​Code:​Bash>​
 +# find <​partition>​ -xdev \( -perm -4000 -o -perm -2000 \) -type f | awk '​{print \ "-a always,exit -F path=" $1 " -F perm=x -F auid>​=1000 -F auid!=4294967295 \ -k privileged"​ }'
 +</​Code>​
 +Add all resulting lines to the ''/​etc/​audit/​audit.rules''​ file.