Description: Monitor privileged programs (those that have the setuid and/or setgid bit set on execution) to determine if unprivileged users are running these commands. Rationale: Execution of privileged commands by non-privileged users could be an indication of someone trying to gain unauthorized access to the system. Audit: Run the following command replacing with a list of partitions where programs can be executed from on your system: # find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>='"$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k privileged" }' Verify all resulting lines are in a .rules file in /etc/audit/rules.d/ and the output of auditctl -l. Note: The .rules file output will be auid!=-1 not auid!=4294967295 Remediation: To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: -F path=" $1 " - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid>=1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events All audit records should be tagged with the identifier "privileged". Run the following command replacing with a list of partitions where programs can be executed from on your system: # find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>='"$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k privileged" }' Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add all resulting lines to the file. Example: # find -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid>='"$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k privileged" }' >> /etc/audit/rules.d/privileged.rules Notes: Reloading the auditd config to set active settings may require a system reboot

[1000]

To remediate this issue, the system administrator will have to execute a find command to locate all the privileged programs and then add an audit line for each one of them. The audit parameters associated with this are as follows: -F path=" $1 " - will populate each file name found through the find command and processed by awk. -F perm=x - will write an audit record if the file is executed. -F auid =1000 - will write a record if the user executing the command is not a privileged user. -F auid!= 4294967295 - will ignore Daemon events All audit records should be tagged with the identifier "privileged". Run the following command replacing with a list of partitions where programs can be executed from on your system: # find partition -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid ='"$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k privileged" }' Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules and add all resulting lines to the file. Example: # find partition -xdev ( -perm -4000 -o -perm -2000 ) -type f | awk '{print "-a always,exit -F path=" $1 " -F perm=x -F auid ='"$(awk '/^s*UID_MIN/{print $2}' /etc/login.defs)"' -F auid!=4294967295 -k privileged" }' /etc/audit/rules.d/privileged.rules