CCE-95499-0Platform: cpe:/o:amazon:linux:2, cpe:/o:centos:centos:7, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9 | Date: (C)2021-03-05 (M)2023-07-04 |
Description:
Monitor privileged programs (those that have the setuid and/or setgid bit set on execution)
to determine if unprivileged users are running these commands.
Rationale:
Execution of privileged commands by non-privileged users could be an indication of
someone trying to gain unauthorized access to the system.
Audit:
Run the following command replacing with a list of partitions where
programs can be executed from on your system:
# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk
'{print "-a always,exit -F path=" $1 " -F perm=x -F auid>='"$(awk
'/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k
privileged" }'
Verify all resulting lines are in a .rules file in /etc/audit/rules.d/ and the output of
auditctl -l.
Note: The .rules file output will be auid!=-1 not auid!=4294967295
Remediation:
To remediate this issue, the system administrator will have to execute a find command to
locate all the privileged programs and then add an audit line for each one of them. The
audit parameters associated with this are as follows:
-F path=" $1 " - will populate each file name found through the find command and
processed by awk. -F perm=x - will write an audit record if the file is executed. -F
auid>=1000 - will write a record if the user executing the command is not a privileged user.
-F auid!= 4294967295 - will ignore Daemon events
All audit records should be tagged with the identifier "privileged".
Run the following command replacing with a list of partitions where programs can be
executed from on your system:
# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk
'{print "-a always,exit -F path=" $1 " -F perm=x -F auid>='"$(awk
'/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k
privileged" }'
Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add all
resulting lines to the file.
Example:
# find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk
'{print "-a always,exit -F path=" $1 " -F perm=x -F auid>='"$(awk
'/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k
privileged" }' >> /etc/audit/rules.d/privileged.rules
Notes:
Reloading the auditd config to set active settings may require a system reboot
Parameter:
[1000]
Technical Mechanism:
To remediate this issue, the system administrator will have to execute a find command to
locate all the privileged programs and then add an audit line for each one of them. The
audit parameters associated with this are as follows:
-F path=" $1 " - will populate each file name found through the find command and
processed by awk. -F perm=x - will write an audit record if the file is executed. -F
auid =1000 - will write a record if the user executing the command is not a privileged user.
-F auid!= 4294967295 - will ignore Daemon events
All audit records should be tagged with the identifier "privileged".
Run the following command replacing with a list of partitions where programs can be
executed from on your system:
# find partition -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk
'{print "-a always,exit -F path=" $1 " -F perm=x -F auid ='"$(awk
'/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k
privileged" }'
Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add all
resulting lines to the file.
Example:
# find partition -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk
'{print "-a always,exit -F path=" $1 " -F perm=x -F auid ='"$(awk
'/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k
privileged" }' /etc/audit/rules.d/privileged.rules
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.9 | Attack Vector: LOCAL |
Exploit Score: 2.5 | Attack Complexity: LOW |
Impact Score: 3.4 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:68650 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72021 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72839 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73050 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84261 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72387 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72736 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:72945 |