tyler.durden/harbian-audit
1
0
Fork 0
mirror of https://github.com/hardenedlinux/harbian-audit.git synced 2025-07-30 00:55:49 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add description for 8.1.22

Browse Source
This commit is contained in:
samson 2018-10-21 03:38:43 +08:00
parent 2e24fd776e
commit 3edc26f2a4
1 changed files with 42 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
View File

@ -78,19 +78,19 @@ Configure the operating system to generate audit records when successful/unsucce
``` ```
The audit daemon must be restarted for the changes to take effect. The audit daemon must be restarted for the changes to take effect.
## 8.1.21 Recored Events that privileged-passwd command usage (Scored) ## 8.1.21 Recored Events that privileged-pasdsw command usage (Scored)
### Profile Applicability ### Profile Applicability
Level 4 Level 4
### Description ### Description
All uses of the passwd command must be audited. All uses of the privileged-passwd command must be audited.
### Rationale ### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged password commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Aduit ### Aduit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "passwd" command occur. Check the file system rule in "/etc/audit/audit.rules" with the following command: Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Check the file system rule in "/etc/audit/audit.rules" with the following command:
``` ```
# grep -i /usr/bin/passwd /etc/audit/audit.rules # grep -i /usr/bin/passwd /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@ -104,7 +104,7 @@ Verify the operating system generates audit records when successful/unsuccessful
If the command does not return any output, this is a finding. If the command does not return any output, this is a finding.
### Remediation ### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "passwd" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-passwd" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
``` ```
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd
@ -113,6 +113,44 @@ Configure the operating system to generate audit records when successful/unsucce
``` ```
The audit daemon must be restarted for the changes to take effect. The audit daemon must be restarted for the changes to take effect.
## 8.1.22 Recored Events that privileged-priv-change command usage (Scored)
### Profile Applicability
Level 4
### Description
All uses of the privileged-priv-change command must be audited.
### Rationale
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged access commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
### Aduit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules":
```
# grep -i /bin/su /etc/audit/audit.rules
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/sudo /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/newgrp /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/chsh /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
# grep -i /usr/bin/sudoedit /etc/audit/audit.rules
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
```
If the command does not return any output, this is a finding.
### Remediation
Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "privileged-priv-change" commands occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
-a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change
```
The audit daemon must be restarted for the changes to take effect.
## 8.5 Verifies integrity all packages (scored) ## 8.5 Verifies integrity all packages (scored)
### Profile Applicability ### Profile Applicability