mediumauditverified ✓
Audit execution of privileged commands via execve
audit-execve-privileged · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
The audit system must record every execve at a higher privilege level than the calling user — both the setuid case (uid != euid, euid == 0) and the setgid case (gid != egid, egid == 0), for the 32-bit and 64-bit ABIs (four rules).
Rationale
Privileged execve auditing is how the system attributes actions taken by a process that elevated its privileges. Without all four rules an attacker could execute a privileged binary on the un-audited ABI or privilege axis and leave no trail.
Check → Remediate
Checkcommand
loaded=$(auditctl -l 2>/dev/null) miss="" echo "$loaded" | grep -Eq 'arch=b32.*-S execve.*uid!=euid.*euid=0' || miss="$miss b32/uid" echo "$loaded" | grep -Eq 'arch=b64.*-S execve.*uid!=euid.*euid=0' || miss="$miss b64/uid" echo "$loaded" | grep -Eq 'arch=b32.*-S execve.*gid!=egid.*egid=0' || miss="$miss b32/gid" echo "$loaded" | grep -Eq 'arch=b64.*-S execve.*gid!=egid.*egid=0' || miss="$miss b64/gid" if [ -n "$miss" ]; then echo "FAIL: missing privileged-execve audit rules:$miss" exit 1 fi echo "OK: all four privileged-execve audit rules are loaded" exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- Add these four rules to a file under /etc/audit/rules.d/ then run 'augenrules --load' (a reboot is required if auditd is in immutable mode): -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv
Framework references
STIG
V-230386 / RHEL-08-030000V-270689 / UBTU-24-200580V-260648 / UBTU-22-654230
NIST 800-53
AC-6AU-12
Live verification
ubuntu22:checkubuntu24:check
#audit#execve#privileged#execpriv#stig