From 3edc26f2a49c92a7076dde42c8b332f9faab23e6 Mon Sep 17 00:00:00 2001
From: samson <sccxboy@gmail.com>
Date: Sun, 21 Oct 2018 03:38:43 +0800
Subject: [PATCH] Add description for 8.1.22

---
 .../harbian_audit_Debian_9_Benchmark_v0.1.mkd | 46 +++++++++++++++++--
 1 file changed, 42 insertions(+), 4 deletions(-)

diff --git a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
index 656e58f..49d42bc 100644
--- a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
+++ b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
@@ -78,19 +78,19 @@ Configure the operating system to generate audit records when successful/unsucce
 ```
 The audit daemon must be restarted for the changes to take effect.
 
-## 8.1.21 Recored Events that privileged-passwd command usage (Scored) 
+## 8.1.21 Recored Events that privileged-pasdsw command usage (Scored) 
 
 ### Profile Applicability
 Level 4
 
 ### Description
-All uses of the passwd command must be audited.
+All uses of the privileged-passwd command must be audited.
 
 ### Rationale
 Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
 
 ### Aduit
-Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur. Check the file system rule in "/etc/audit/audit.rules" with the following command:
+Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Check the file system rule in "/etc/audit/audit.rules" with the following command:
 ```
 # grep -i /usr/bin/passwd /etc/audit/audit.rules
 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@@ -104,7 +104,7 @@ Verify the operating system generates audit records when successful/unsuccessful
 If the command does not return any output, this is a finding.
 
 ### Remediation
-Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
+Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
 ```
 -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
 -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@@ -113,6 +113,44 @@ Configure the operating system to generate audit records when successful/unsucce
 ```
 The audit daemon must be restarted for the changes to take effect.
 
+## 8.1.22 Recored Events that privileged-priv-change command usage (Scored) 
+
+### Profile Applicability
+Level 4
+
+### Description
+All uses of the privileged-priv-change command must be audited.
+
+### Rationale
+Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+### Aduit
+Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
+```
+# grep -i /bin/su /etc/audit/audit.rules
+-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+# grep -i /usr/bin/sudo /etc/audit/audit.rules
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+# grep -i /usr/bin/newgrp /etc/audit/audit.rules
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+# grep -i /usr/bin/chsh /etc/audit/audit.rules
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+# grep -i /usr/bin/sudoedit /etc/audit/audit.rules
+-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+```
+If the command does not return any output, this is a finding.
+
+### Remediation
+Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+```
+-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
+```
+The audit daemon must be restarted for the changes to take effect.
+
 ## 8.5 Verifies integrity all packages (scored) 
 
 ### Profile Applicability