STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The SUSE operating system must generate audit records for all uses of the privileged functions.

DISA Rule

SV-217209r603262_rule

Vulnerability Number

V-217209

Group Title

SRG-OS-000327-GPOS-00127

Rule Version

SLES-12-020240

Severity

CAT III

CCI(s)

• CCI-002234 - The information system audits the execution of privileged functions.
• CCI-001877 - The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents.
• CCI-001878 - The information system provides a report generation capability that supports on-demand audit review and analysis.
• CCI-001914 - The information system provides the capability for organization-defined individuals or roles to change the auditing to be performed on organization-defined information system components based on organization-defined selectable event criteria within organization-defined time thresholds.
• CCI-001814 - The Information system supports auditing of the enforcement actions.
• CCI-001875 - The information system provides an audit reduction capability that supports on-demand audit review and analysis.
• CCI-001879 - The information system provides a report generation capability that supports on-demand reporting requirements.
• CCI-001880 - The information system provides a report generation capability that supports after-the-fact investigations of security incidents.
• CCI-001889 - The information system records time stamps for audit records that meet organization-defined granularity of time measurement.
• CCI-001881 - The information system provides an audit reduction capability that does not alter original content or time ordering of audit records.
• CCI-001882 - The information system provides a report generation capability that does not alter original content or time ordering of audit records.

Weight

10

Fix Recommendation

Configure the operating system to audit the execution of privileged functions.

Add or update the following rules in "/etc/audit/rules.d/audit.rules":

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

The audit daemon must be restarted for the changes to take effect.

# sudo systemctl restart auditd.service

Check Contents

Verify the operating system audits the execution of privileged functions using the following command:

# grep -iw execve /etc/audit/audit.rules

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.

If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.

Vulnerability Number

V-217209

Documentable

False

Rule Version

SLES-12-020240

Severity Override Guidance

Verify the operating system audits the execution of privileged functions using the following command:

# grep -iw execve /etc/audit/audit.rules

-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k setuid
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k setgid
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k setgid

If both the "b32" and "b64" audit rules for "SUID" files are not defined, this is a finding.

If both the "b32" and "b64" audit rules for "SGID" files are not defined, this is a finding.

Check Content Reference

M

Target Key

4033

Comments