CCE-95761-3Platform: cpe:/o:ubuntu:ubuntu_linux:20.04 | Date: (C)2024-02-12 (M)2024-02-12 |
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Unix_update is a helper program for the pam_unix module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation in that event.When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The AUID representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and unset in the same way.
Fixtext:
Add or update the following rules in the "/etc/audit/audit.rules" file:
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update
Parameter:
[Yes/No]
Technical Mechanism:
Add or update the following rules in the "/etc/audit/audit.rules" file:
-a always,exit -F path=/sbin/unix_update -F perm=x -F auid =1000 -F auid!=4294967295 -k privileged-unix-update
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.9 | Attack Vector: LOCAL |
Exploit Score: 2.5 | Attack Complexity: LOW |
Impact Score: 3.4 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:97818 |