mediumauditverified ✓✓rollback-safe
Audit privileged execution of /usr/sbin/pam_timestamp_check (Ubuntu)
audit-priv-pam_timestamp_check · UBUNTU ≥ 22 · 1 impl
Description
All uses of the /usr/sbin/pam_timestamp_check command must generate an audit record so that PAM timestamp checks can be traced to an individual.
Rationale
Auditing execution of privileged commands allows detection of misuse and supports forensic investigation of privilege escalation.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged-pam_timestamp_check
- persist_file:
- /etc/audit/rules.d/50-priv-pam_timestamp_check.rules
Framework references
STIG
V-270804 / UBTU-24-900330V-260617 / UBTU-22-654075
NIST 800-53
AU-2AU-12
Live verification
ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#privileged