On 1/5/18 1:31 PM, Steve Grubb wrote: > On Friday, January 5, 2018 12:51:42 PM EST Jan Lieskovsky wrote: >> Hello, >> >> On Fri, Jan 5, 2018 at 6:00 PM, Paige, David B CTR USARMY ICOE (US) < >> >> [email protected]> wrote: >>> This check and some related ones require auditing for all users and root. >>> The suggested line includes these elements: >>> >>> -a always,exit -F arch=ARCH -S rmdir,unlink,unlinkat,rename,renameat -F >>> auid>=500 -F auid!=4294967295 -k delete > You might want to check that 500 is the right number > # grep -w UID_MIN /etc/login.defs > > >>> Should this check include "-F auid=0" to properly audit the root user? >> IIRC the motivation why "-F auid=0" was omitted at the time when writing >> these audit rules for SSG it is / was >> as follows -- you don't need to audit actions of root user (they need to be >> trusted). IOW there is just one user, >> able to act as root, and that one should / needs to be trusted. >> >> If root user account is shared between multiple users (and therefore you >> truly need to audit root account), you would have more troubles at the >> system (because would actually deny the traceability / mapping of performed >> actions back to the user, who performed these actions). In such case even >> having audit log entry, you couldn't tell which of the users sharing the >> root account performed the particular action. > To maybe simplify this a bit...elsewhere in the STIG, root logins are > disallowed. Therefore you cannot have an interactive session where auid is 0. > If you allowed root logins, then you have an attribution problem because root > is a shared account and you don't know who is acting as root. ^^ that's the reasoning we (Red Hat and NSA) used when signing off on the RHEL6 STIGs.
-- Shawn Wells Chief Security Strategist North America Public Sector [email protected] | 443-534-0130
_______________________________________________ scap-security-guide mailing list -- [email protected] To unsubscribe send an email to [email protected]
