CCE-95746-4Platform: cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:ubuntu:ubuntu_linux:22.04 | Date: (C)2023-12-15 (M)2023-12-22 |
sudo provides users with temporary elevated privileges to perform operations, either as the superuser or another user.
Rationale:
Creating an audit log of users with temporary elevated privileges and the operation(s) they performed is essential to reporting. Administrators will want to correlate the events written to the audit trail with the records written to sudo logfile to verify if unauthorized commands have been executed.
Fix:
Edit the /etc/audit/audit.rules file to include the following lines:
For 64bit system
-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation
For 32bit system
-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation
Run the following command to load the rules into active configurationaugenrules --load
Parameter:
[yes/no]
Technical Mechanism:
Edit the /etc/audit/audit.rules file to include the following lines:
For 64bit system
-a always,exit -F arch=b64 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation
For 32bit system
-a always,exit -F arch=b32 -S execve -C uid!=euid -F auid!=-1 -F key=user_emulation
CCSS Severity: | CCSS Metrics: |
CCSS Score : 7.0 | Attack Vector: LOCAL |
Exploit Score: 1.0 | Attack Complexity: HIGH |
Impact Score: 5.9 | Privileges Required: LOW |
Severity: HIGH | User Interaction: NONE |
Vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H | Scope: UNCHANGED |
| Confidentiality: HIGH |
| Integrity: HIGH |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:96078 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:95859 |