Ensure auditd Collects Information on the Use of Privileged Commands - shutdown

An XCCDF Rule

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -F key=privileged

Rationale

Misuse of the shutdown command may cause availability issues for the system.

ID: xccdf_org.ssgproject.content_rule_audit_privileged_commands_shutdown
Severity: Medium
References: CCI-000172

AU-12(c)

SRG-OS-000477-GPOS-00222
Updated: about 1 year ago


apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
  config:
    ignition:      version: 3.1.0
    storage:
      files:
      - contents:
          source: data:,-a%20always%2Cexit%20-F%20path%3D/usr/sbin/shutdown%20-F%20auid%3E%3D1000%20-F%20auid%21%3Dunset%20-F%20key%3Dprivileged%0A
        mode: 0644
        path: /etc/audit/rules.d/75-usr_sbin_shutdown_execution.rules
        overwrite: true

Ensure auditd Collects Information on the Use of Privileged Commands - shutdown

Description

Rationale

Remediation - Kubernetes Patch