CCE-96132-6Platform: cpe:/o:suse:suse_linux_enterprise_server:15 | Date: (C)2022-09-27 (M)2023-07-04 |
Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.
At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215
Parameter:
[yes/no]
Technical Mechanism:
Fix:Configure the SUSE operating system to generate an audit record for all uses of the "chfn" command.
Add or update the following rules in the "/etc/audit/rules.d/audit.rules" file:
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-chfn
To reload the rules file, restart the audit daemon
> sudo systemctl restart auditd.service
or issue the following command:
> sudo augenrules --load
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.1 | Attack Vector: LOCAL |
Exploit Score: 2.5 | Attack Complexity: LOW |
Impact Score: 2.5 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: NONE |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:84362 |