← Rules Catalog
mediumauditverified

Audit execution of privileged commands via execve

audit-execve-privileged · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

The audit system must record every execve at a higher privilege level than the calling user — both the setuid case (uid != euid, euid == 0) and the setgid case (gid != egid, egid == 0), for the 32-bit and 64-bit ABIs (four rules).

Rationale

Privileged execve auditing is how the system attributes actions taken by a process that elevated its privileges. Without all four rules an attacker could execute a privileged binary on the un-audited ABI or privilege axis and leave no trail.

Check → Remediate

Checkcommand
loaded=$(auditctl -l 2>/dev/null)
miss=""
echo "$loaded" | grep -Eq 'arch=b32.*-S execve.*uid!=euid.*euid=0' || miss="$miss b32/uid"
echo "$loaded" | grep -Eq 'arch=b64.*-S execve.*uid!=euid.*euid=0' || miss="$miss b64/uid"
echo "$loaded" | grep -Eq 'arch=b32.*-S execve.*gid!=egid.*egid=0' || miss="$miss b32/gid"
echo "$loaded" | grep -Eq 'arch=b64.*-S execve.*gid!=egid.*egid=0' || miss="$miss b64/gid"
if [ -n "$miss" ]; then
  echo "FAIL: missing privileged-execve audit rules:$miss"
  exit 1
fi
echo "OK: all four privileged-execve audit rules are loaded"
exit 0
expected_exit:
0
Remediatemanual
note:
Add these four rules to a file under /etc/audit/rules.d/ then run 'augenrules --load' (a reboot is required if auditd is in immutable mode): -a always,exit -F arch=b32 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv -a always,exit -F arch=b32 -S execve -C gid!=egid -F egid=0 -k execpriv -a always,exit -F arch=b64 -S execve -C gid!=egid -F egid=0 -k execpriv

Framework references

STIG

V-230386 / RHEL-08-030000V-270689 / UBTU-24-200580V-260648 / UBTU-22-654230

NIST 800-53

AC-6AU-12

Live verification

ubuntu22:checkubuntu24:check
#audit#execve#privileged#execpriv#stig