OpenSCAP: $(oscap.check.title) (not passed)

Customer support forums for Atomic Protector (formerly Atomic Secured Linux). There is no such thing as a bad question here as long as it pertains to using Atomic Protector. Newbies feel free to get help getting started or asking questions that may be obvious. Regular users are asked to be gentle. :-)
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

OpenSCAP: $(oscap.check.title) (not passed)

Unread post by jbmoore »

Hi,

Got the above output in my event log and when I click "read more" on that event, there was no documentation.. So...

Below is the description in the event details.. Seems to suggest the "privileged functions" where misused..

Is this something that I should look into further..???

oscap.check.description:

At a minimum, the audit system should collect the execution of privileged commands for all users and root. To find the relevant setuid / setgid programs, run the following command for each local partition PART: $ sudo find PART -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules for each setuid / setgid program on the system, replacing the SETUID_PROG_PATH part with the full path of that setuid / setgid program in the list: -a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged oscap.check.rationale: Misuse of privileged functions, either intentionally or unintentionally by authorized users, or by unauthorized external entities that have compromised system accounts, is a serious and ongoing concern and can have significant adverse impacts on organizations. Auditing the use of privileged functions is one way to detect such misuse and identify the risk from insider and advanced persistent threast. Privileged programs are subject to escalation-of-privilege attacks, which attempt to subvert their normal role of providing some necessary but limited capability. As such, motivation exists to monitor these programs for unusual activity.
jbmoore
Forum User
Forum User
Posts: 30
Joined: Thu Mar 09, 2017 7:26 pm
Location: California

Re: OpenSCAP: $(oscap.check.title) (not passed)

Unread post by jbmoore »

I'm still seeing this in my Recent Events log.. Any feedback on whether or if this is something I should be pursuing..??

Thanks..
Post Reply