Profile Applicability:
• Level 2
Description:
Privileged commands allow users to perform actions with elevated privileges, potentially impacting system security. Collecting audit logs of privileged command usage helps monitor and detect unauthorized or malicious activities.
Rationale:
Auditing privileged command execution provides visibility into administrative actions, enabling accountability and timely detection of misuse or compromise.
Impact:
Pros:
Enhances security monitoring of privileged operations.
Supports forensic investigations and compliance requirements.
Cons:
May generate a high volume of audit logs; requires effective log management.
Default Value:
Audit logging for privileged commands may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check existing audit rules for privileged command execution:
auditctl -l | grep -E '/bin/su|/bin/sudo|/usr/bin/sudo'
Verify audit rules exist for tracking execution of privileged commands.
Implementation Plan:
Using Linux command line:
Add audit rules to monitor privileged commands, for example:
auditctl -w /bin/su -p x -k privileged-command auditctl -w /bin/sudo -p x -k privileged-command auditctl -w /usr/bin/sudo -p x -k privileged-command
Persist audit rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove audit rules for privileged commands if necessary:
auditctl -W /bin/su -p x -k privileged-command auditctl -W /bin/sudo -p x -k privileged-command auditctl -W /usr/bin/sudo -p x -k privileged-command auditctl -D -k privileged-command
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0