tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add description for 8.1.25

This commit is contained in:
samson 2018-10-22 03:00:13 +08:00
parent de4712f55c
commit 408896bdfd
1 changed files with 26 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
View File

@ -208,6 +208,32 @@ Configure the operating system to generate audit records when successful/unsucce
The audit daemon must be restarted for the changes to take effect.
## 8.1.25 Recored pam_timestamp_check command usage (scored)
### Profile Applicability
Level 4
### Description
All uses of the pam_timestamp_check command must be audited.
### Rationale
Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
### Aduit
Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command:
```
# grep -i "/sbin/pam_timestamp_check" /etc/audit/audit.rules
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
```
If the command does not return any output, this is a finding.
Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_timestamp_check" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules":
```
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam
```
The audit daemon must be restarted for the changes to take effect.
## 8.5 Verifies integrity all packages (scored)
### Profile Applicability