STIG ID: UBTU-22-654230 | SRG: SRG-OS-000326-GPOS-00126 | Severity: medium | CCI: | Vulnerability Id: V-260648
In certain situations, software applications/programs need to execute with elevated privileges to perform required functions. However, if the privileges required for execution are at a higher level than the privileges assigned to organizational users invoking such applications/programs, those users are indirectly provided with greater privileges than assigned by the organizations.
Some programs and processes are required to operate at a higher privilege level and therefore should be excluded from the organization-defined software list after review.
Satisfies: SRG-OS-000326-GPOS-00126, SRG-OS-000327-GPOS-00127
Configure Ubuntu 22.04 LTS to audit the execution of all privileged functions.
Add or modify the following lines in the "/etc/audit/rules.d/stig.rules" file:
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv
To reload the rules file, issue the following command:
$ sudo augenrules --load
Note: The "-k
Verify Ubuntu 22.04 LTS audits the execution of privilege functions by auditing the "execve" system call by using the following command:
$ sudo auditctl -l | grep execve
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -F key=execpriv
-a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -F key=execpriv
If the command does not return lines that match the example or the lines are commented out, this is a finding.
Note: The "key=" value is arbitrary and can be different from the example output above.