tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-04-08 17:06:34 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add description for 8.1.22

Browse Source
This commit is contained in:
samson 2018-10-21 03:38:43 +08:00
parent 2e24fd776e
commit 3edc26f2a4
1 changed files with 42 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
View File

@ -78,19 +78,19 @@ Configure the operating system to generate audit records when successful/unsucce
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.21 Recored Events that privileged-passwd command usage (Scored)
## 8.1.21 Recored Events that privileged-pasdsw command usage (Scored)
### Profile Applicability
Level 4
### Description
All uses of the passwd command must be audited.
All uses of the privileged-passwd command must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Aduit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur. Check the file system rule in "/etc/audit/audit.rules" with the following command:
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Check the file system rule in "/etc/audit/audit.rules" with the following command:
```
# grep -i /usr/bin/passwd /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@ -104,7 +104,7 @@ Verify the operating system generates audit records when successful/unsuccessful
If the command does not return any output, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@ -113,6 +113,44 @@ Configure the operating system to generate audit records when successful/unsucce
```
The audit daemon must be restarted for the changes to take effect.
## 8.1.22 Recored Events that privileged-priv-change command usage (Scored)
### Profile Applicability
Level 4
### Description
All uses of the privileged-priv-change command must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Aduit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
```
# grep -i /bin/su /etc/audit/audit.rules
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/sudo /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/newgrp /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/chsh /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/sudoedit /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
```
If the command does not return any output, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
```
The audit daemon must be restarted for the changes to take effect.
## 8.5 Verifies integrity all packages (scored)
### Profile Applicability