From b6d67da9fc30f48af46675b986c761c8acf528b4 Mon Sep 17 00:00:00 2001 From: Josh Bradley Date: Sat, 26 Nov 2022 00:46:24 -0500 Subject: [PATCH 1/2] update audit rules to check for correct value --- .../StigData/Processed/Ubuntu-18.04-2.7.xml | 140 +++++++++--------- .../StigData/Processed/Ubuntu-18.04-2.8.xml | 140 +++++++++--------- 2 files changed, 140 insertions(+), 140 deletions(-) diff --git a/source/StigData/Processed/Ubuntu-18.04-2.7.xml b/source/StigData/Processed/Ubuntu-18.04-2.7.xml index cc37a30bd..dfa2f1f81 100644 --- a/source/StigData/Processed/Ubuntu-18.04-2.7.xml +++ b/source/StigData/Processed/Ubuntu-18.04-2.7.xml @@ -2843,11 +2843,11 @@ disk_full_action = HALT If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding. - -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change + -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-priv_change + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-priv_change /etc/audit/rules.d/audit.rules False @@ -2867,11 +2867,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn + -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chfn\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-chfn + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chfn\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-chfn /etc/audit/rules.d/audit.rules False @@ -2891,11 +2891,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount + -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-mount + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-mount /etc/audit/rules.d/audit.rules False @@ -2915,11 +2915,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount + -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-umount + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-umount /etc/audit/rules.d/audit.rules False @@ -2939,11 +2939,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh + -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-ssh + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-ssh /etc/audit/rules.d/audit.rules False @@ -2963,11 +2963,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh + -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/lib/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-ssh + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/lib/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-ssh /etc/audit/rules.d/audit.rules False @@ -2987,7 +2987,7 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod + -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2995,7 +2995,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_mod + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_mod /etc/audit/rules.d/audit.rules False @@ -3039,7 +3039,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod + -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3047,7 +3047,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_mod + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_mod /etc/audit/rules.d/audit.rules False @@ -3091,7 +3091,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3099,7 +3099,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3117,7 +3117,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3125,7 +3125,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3143,7 +3143,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3151,7 +3151,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3169,7 +3169,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3177,7 +3177,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3195,7 +3195,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access + -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3203,7 +3203,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access /etc/audit/rules.d/audit.rules False @@ -3221,7 +3221,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access + -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3229,7 +3229,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access /etc/audit/rules.d/audit.rules False @@ -3247,7 +3247,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access + -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3255,7 +3255,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access /etc/audit/rules.d/audit.rules False @@ -3273,7 +3273,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access + -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3281,7 +3281,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access /etc/audit/rules.d/audit.rules False @@ -3299,11 +3299,11 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd /etc/audit/rules.d/audit.rules False @@ -3323,11 +3323,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudoedit\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudoedit\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd /etc/audit/rules.d/audit.rules False @@ -3347,11 +3347,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd /etc/audit/rules.d/audit.rules False @@ -3371,11 +3371,11 @@ If the command does not return a line that matches the example or the line is co Notes: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd /etc/audit/rules.d/audit.rules False @@ -3395,11 +3395,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3419,11 +3419,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/apparmor_parser\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/apparmor_parser\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3443,11 +3443,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3467,11 +3467,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3493,11 +3493,11 @@ Note: The '-k' allows for specifying an arbitrary identifier and the string afte If the command does not return a line that matches the example or the line is commented out, this is a finding. - -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd + -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-passwd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-passwd /etc/audit/rules.d/audit.rules False @@ -3517,11 +3517,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update + -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-unix-update + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-unix-update /etc/audit/rules.d/audit.rules False @@ -3541,11 +3541,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd + -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-gpasswd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-gpasswd /etc/audit/rules.d/audit.rules False @@ -3565,11 +3565,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage + -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-chage + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-chage /etc/audit/rules.d/audit.rules False @@ -3589,11 +3589,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod + -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-usermod + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-usermod /etc/audit/rules.d/audit.rules False @@ -3613,11 +3613,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab + -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-crontab + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-crontab /etc/audit/rules.d/audit.rules False @@ -3637,11 +3637,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check + -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-pam_timestamp_check + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-pam_timestamp_check /etc/audit/rules.d/audit.rules False @@ -3661,11 +3661,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng + -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*module_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*module_chng /etc/audit/rules.d/audit.rules False @@ -3683,11 +3683,11 @@ The '-k' allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng + -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*module_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*module_chng /etc/audit/rules.d/audit.rules False @@ -3801,13 +3801,13 @@ The '-k' allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete + -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*delete + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*delete /etc/audit/rules.d/audit.rules False @@ -3825,13 +3825,13 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete + -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*delete + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*delete /etc/audit/rules.d/audit.rules False diff --git a/source/StigData/Processed/Ubuntu-18.04-2.8.xml b/source/StigData/Processed/Ubuntu-18.04-2.8.xml index 02b2eb046..ab6a33310 100644 --- a/source/StigData/Processed/Ubuntu-18.04-2.8.xml +++ b/source/StigData/Processed/Ubuntu-18.04-2.8.xml @@ -2842,11 +2842,11 @@ disk_full_action = HALT If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding. - -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-priv_change + -a always,exit -F path=/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-priv_change <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-priv_change + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/su\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-priv_change /etc/audit/rules.d/audit.rules False @@ -2866,11 +2866,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chfn + -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chfn\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-chfn + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chfn\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-chfn /etc/audit/rules.d/audit.rules False @@ -2890,11 +2890,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-mount + -a always,exit -F path=/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-mount <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-mount + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/mount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-mount /etc/audit/rules.d/audit.rules False @@ -2914,11 +2914,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-umount + -a always,exit -F path=/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-umount <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-umount + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/bin/umount\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-umount /etc/audit/rules.d/audit.rules False @@ -2938,11 +2938,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh + -a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-ssh + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/ssh-agent\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-ssh /etc/audit/rules.d/audit.rules False @@ -2962,11 +2962,11 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-ssh + -a always,exit -F path=/usr/lib/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-ssh <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/lib/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-ssh + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/lib/openssh/ssh-keysign\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-ssh /etc/audit/rules.d/audit.rules False @@ -2986,7 +2986,7 @@ If the command does not return lines that match the example or the lines are com Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod + -a always,exit -F arch=b32 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -2994,7 +2994,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_mod + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_mod /etc/audit/rules.d/audit.rules False @@ -3038,7 +3038,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=-1 -k perm_mod + -a always,exit -F arch=b64 -S setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3046,7 +3046,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_mod + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*setxattr,fsetxattr,lsetxattr,removexattr,fremovexattr,lremovexattr\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_mod /etc/audit/rules.d/audit.rules False @@ -3090,7 +3090,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F arch=b32 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3098,7 +3098,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3116,7 +3116,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F arch=b64 -S chown,fchown,fchownat,lchown -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3124,7 +3124,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chown,fchown,fchownat,lchown\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3142,7 +3142,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3150,7 +3150,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3168,7 +3168,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3176,7 +3176,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000462-GPOS-00206</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*chmod,fchmod,fchmodat\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3194,7 +3194,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access + -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3202,7 +3202,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access /etc/audit/rules.d/audit.rules False @@ -3220,7 +3220,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access + -a always,exit -F arch=b32 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3228,7 +3228,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access /etc/audit/rules.d/audit.rules False @@ -3246,7 +3246,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=-1 -k perm_access + -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k perm_access <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3254,7 +3254,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EPERM\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access /etc/audit/rules.d/audit.rules False @@ -3272,7 +3272,7 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k perm_access + -a always,exit -F arch=b64 -S creat,open,openat,open_by_handle_at,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k perm_access <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). @@ -3280,7 +3280,7 @@ Audit records can be generated from various components within the information sy The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible. Satisfies: SRG-OS-000064-GPOS-00033, SRG-OS-000474-GPOS-00219</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_access + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*creat,open,openat,open_by_handle_at,truncate,ftruncate\s*-F\s*exit\s*=\s*-EACCES\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_access /etc/audit/rules.d/audit.rules False @@ -3298,11 +3298,11 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudo\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd /etc/audit/rules.d/audit.rules False @@ -3322,11 +3322,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + -a always,exit -F path=/usr/bin/sudoedit -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudoedit\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/sudoedit\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd /etc/audit/rules.d/audit.rules False @@ -3346,11 +3346,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chsh\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd /etc/audit/rules.d/audit.rules False @@ -3370,11 +3370,11 @@ If the command does not return a line that matches the example or the line is co Notes: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=-1 -k priv_cmd + -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k priv_cmd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*priv_cmd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/newgrp\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*priv_cmd /etc/audit/rules.d/audit.rules False @@ -3394,11 +3394,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chcon\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3418,11 +3418,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F path=/sbin/apparmor_parser -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/apparmor_parser\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/apparmor_parser\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3442,11 +3442,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/setfacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3466,11 +3466,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=-1 -k perm_chng + -a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>=1000 -F auid!=4294967295 -k perm_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*perm_chng + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chacl\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*perm_chng /etc/audit/rules.d/audit.rules False @@ -3492,11 +3492,11 @@ Note: The '-k' allows for specifying an arbitrary identifier and the string afte If the command does not return a line that matches the example or the line is commented out, this is a finding. - -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-passwd + -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-passwd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-passwd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/passwd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-passwd /etc/audit/rules.d/audit.rules False @@ -3516,11 +3516,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-unix-update + -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-unix-update + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/sbin/unix_update\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-unix-update /etc/audit/rules.d/audit.rules False @@ -3540,11 +3540,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-gpasswd + -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-gpasswd <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-gpasswd + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/gpasswd\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-gpasswd /etc/audit/rules.d/audit.rules False @@ -3564,11 +3564,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-chage + -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chage <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-chage + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/chage\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-chage /etc/audit/rules.d/audit.rules False @@ -3588,11 +3588,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-usermod + -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-usermod <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-usermod + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/usermod\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-usermod /etc/audit/rules.d/audit.rules False @@ -3612,11 +3612,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-crontab + -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-crontab <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-crontab + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/bin/crontab\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-crontab /etc/audit/rules.d/audit.rules False @@ -3636,11 +3636,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=-1 -k privileged-pam_timestamp_check + -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-pam_timestamp_check <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*privileged-pam_timestamp_check + #\s*-a\s*always,exit\s*-F\s*path\s*=\s*/usr/sbin/pam_timestamp_check\s*-F\s*perm\s*=\s*x\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*privileged-pam_timestamp_check /etc/audit/rules.d/audit.rules False @@ -3660,11 +3660,11 @@ If the command does not return a line that matches the example or the line is co Note: The '-k' allows for specifying an arbitrary identifier and the string after it does not need to match the example output above. - -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng + -a always,exit -F arch=b32 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*module_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*module_chng /etc/audit/rules.d/audit.rules False @@ -3682,11 +3682,11 @@ The '-k' allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=-1 -k module_chng + -a always,exit -F arch=b64 -S finit_module -F auid>=1000 -F auid!=4294967295 -k module_chng <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*module_chng + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*finit_module\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*module_chng /etc/audit/rules.d/audit.rules False @@ -3800,13 +3800,13 @@ The '-k' allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete + -a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*delete + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b64\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*delete /etc/audit/rules.d/audit.rules False @@ -3824,13 +3824,13 @@ The "-k" allows for specifying an arbitrary identifier and the string after it d - -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=-1 -k delete + -a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat,rmdir -F auid>=1000 -F auid!=4294967295 -k delete <VulnDiscussion>Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Audit records can be generated from various components within the information system (e.g., module or policy filter). The system call rules are loaded into a matching engine that intercepts each syscall made by all programs on the system. Therefore, it is very important to use syscall rules only when absolutely necessary since these affect performance. The more rules, the bigger the performance hit. The performance is helped, however, by combining syscalls into one rule whenever possible.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls> - #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*-1\s*-k\s*delete + #\s*-a\s*always,exit\s*-F\s*arch\s*=\s*b32\s*-S\s*unlink,unlinkat,rename,renameat,rmdir\s*-F\s*auid>\s*=\s*1000\s*-F\s*auid!\s*=\s*4294967295\s*-k\s*delete /etc/audit/rules.d/audit.rules False From 21c4fb4af2598cc8264a437faacb866e28f48ec1 Mon Sep 17 00:00:00 2001 From: Josh Bradley Date: Sat, 26 Nov 2022 01:12:00 -0500 Subject: [PATCH 2/2] update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index d25754d34..5fe634665 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## [Unreleased] +* Update `audit` STIG rules for Canonical Ubuntu 18.04 LTS STIG - V2R7 and V2R8: [#1170](https://github.com/microsoft/PowerStig/issues/1170) + ## [4.14.0] - 2022-09-14 * Update PowerSTIG to Parse/Apply Red Hat Enterprise Linux 7 STIG - Ver 3, Rel 8: [#1151](https://github.com/microsoft/PowerStig/issues/1151)