mediumauditverified ✓✓rollback-safe
Audit privileged execution of /usr/bin/newgrp (Ubuntu)
audit-priv-newgrp · UBUNTU ≥ 22 · 1 impl
Description
All uses of the /usr/bin/newgrp command must generate an audit record so that group-id changes can be traced to an individual.
Rationale
Auditing execution of privileged commands allows detection of misuse and supports forensic investigation of privilege escalation.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=unset -k priv_cmd
- persist_file:
- /etc/audit/rules.d/50-priv-newgrp.rules
Framework references
STIG
V-270791 / UBTU-24-900200V-260616 / UBTU-22-654070
NIST 800-53
AU-2AU-12
Live verification
ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#privileged