GOV.

UK
Guidance

EndUserDevicesGuidance:Ubuntu14.04
LTS
Published
Contents
1. Usagescenario
2. Summaryofplatformsecurity
3. Significantrisks
4. Howtheplatformcanbestsatisfythesecurityrecommendations
5. Networkarchitecture
6. Deploymentprocess
7. Provisioningsteps
8. Policyrecommendations
9. Enterpriseconsiderations

ThisguidanceisapplicabletoanydevicerunningUbuntu14.04LTS.ThisversionofUbuntuisthe
latestLongTermSupport(LTS)versionavailableatthetimeofwritingandisduetobesupported
byCanonicaluntil2019.

1. Usagescenario
Ubuntudeviceswillbeusedremotelyoveranynetworkbearer,includingEthernet,WiFiand3Gto
connectbacktotheenterpriseoveraVPN.Thisenablesavarietyofremoteworkingapproaches
suchas:
accessingOFFICIALemail
creating,editing,reviewingandcommentingonOFFICIALdocuments
accessingtheOFFICIALintranetresources,theinternetandotherwebresources
Tosupportthesescenarios,thefollowingarchitecturalchoicesarerecommended:
AlldatashouldberoutedoverasecureenterpriseVPNtoensuretheconfidentialityandintegrity
ofthetraffic,andtobenefitfromenterpriseprotectivemonitoringsolutions.
Usersshouldnotbeallowedtoinstallarbitraryapplicationsonthedevice.Applicationsshouldbe
authorisedbyanadministratoranddeployedviaatrustedmechanism.

2. Summaryofplatformsecurity
Thisplatformhasbeenassessedagainsteachofthe12securityrecommendations,andthat
assessmentisshowninthetablebelow.Explanatorytextindicatesthatthereissomethingrelatedto
thatrecommendationthattheriskownersshouldbeawareof.Rowsmarked[!]representamore
significantrisk.SeeHowtheplatformcanbestsatisfythesecurityrecommendationsformore
detailsabouthoweachofthesecurityrecommendationsismet.
Recommendation

Rationale

1.Assureddataintransitprotection

ThebuiltinVPNhasnotbeenindependentlyassuredtoFoundationGrade.

2.Assureddataatrestprotection

LUKSanddmcrypthavenotbeenindependentlyassuredtoFoundation
Grade.

3.Authentication
4.Secureboot

Securebootisnotfullysupportedonthisplatform.

5.Platformintegrityandapplication
sandboxing
6.Applicationwhitelisting
7.Maliciouscodedetectionandprevention
8.Securitypolicyenforcement
9.Externalinterfaceprotection
10.Deviceupdatepolicy
11.Eventcollectionforenterpriseanalysis
12.Incidentresponse

3. Significantrisks
Thefollowingsignificantriskshavebeenidentified:
TheVPNhasnotbeenindependentlyassuredtoFoundationGrade.Withoutassuranceinthe
VPNthereisariskthatdatatransitingfromthedevicecouldbecompromised.
Usersmaychoosetoignorecertificatewarningsleavingdataintransitvulnerabletointerception
andalteration.
TheLUKS/dmcryptdiskencryptionsolutionshavenotbeenindependentlyassuredto
FoundationGrade,anddonotsupportsomeofthemandatoryrequirementsexpectedfrom
assuredfulldiskencryptionproducts.Withoutassurancethereisariskthatdatastoredonthe
devicecouldbecompromised.However,thetpmluksprojectcanenableusageofTrusted
PlatformModules(TPMs)byLUKSwhichmayhelpmeetmoreoftheserequirements.

Ubuntudoesnotuseanydedicatedhardwaretoprotectitsdiskencryptionkeys.Ifanattacker
cangetphysicalaccesstothedevice,theycanperformanofflinebruteforceattacktorecover
theencryptionpassword.
Encryptionkeysprotectingsensitivedataremainavailabletoanattackerwhenthedeviceis
locked.Thismeansthatifthedeviceisattackedwhilepoweredonandlocked,keysanddataon
thedevicemaybecompromisedwithouttheattackerknowingthepassword.
WhilstnotspecifictoUbuntu,manydeviceswhichcanrunUbuntuhaveexternalinterfaceswhich
permitDirectMemoryAccess(DMA)fromconnectedperipherals.Thispresentsanopportunity
foralocalattackertoexfiltratekeysanddata.

4. Howtheplatformcanbestsatisfythesecurity
recommendations
Thissectiondetailstheplatformsecuritymechanismswhichbestaddresseachofthesecurity
recommendations.

4.1 Assureddataintransitprotection
UsetheStrongSwanIPsecVPNclientuntilaFoundationGradeVPNclientforthisplatform
becomesavailable.

4.2 Assureddataatrestprotection
UseLUKS/dmcrypttoprovidefullvolumeencryption.CESGrecommendtheuseofacomplex
passwordofatleast9charactersinlength,orofatleast6charactersinlengthwhenusedin
conjunctionwithasecondfactor.

4.3 Authentication
Theuserhasadifferentauthenticationpasswordtoauthenticatethemselvestothedeviceoncethey
haveenteredthedecryptionpassword.
Alternatively,theusercanimplicitlyauthenticatetothedevicebydecryptingthediskatboottime
withtheirLUKS/dmcryptpassword.Thispasswordunlocksakeywhichencryptscertificatesand
othercredentials,givingaccesstoenterpriseservices.

4.4 Secureboot
Atpresent,Ubuntucannotbeconfiguredtofullybootsecurely.Minorsecuritybenefitcanbe
obtainedbyapplyingtheconfigurationgiveninthePolicyrecommendationssectionbelow,butthis
willnotfullysatisfythesecurebootrecommendation.

4.5 Platformintegrityandapplicationsandboxing
Theserequirementsaremetimplicitlybytheplatform.Whereavailable,AppArmorprofileslimit
applicationsaccesstotheplatform.OtherapplicationscanbeconfiguredtouseAppArmorif
required.

4.6 Applicationwhitelisting
Permissionscanbeconfiguredatinstalltimetoensureuserscannotexecuteapplicationsfromany
diskpartitionthattheycanwriteto.Allapplicationinstallationshouldbeperformedbyan
administrator.

4.7 Maliciouscodedetectionandprevention
Theplatformimplicitlyprovidessomeprotectionagainstmaliciouscodebeingabletorunwhen
configuredasrecommended.
Severalthirdpartyantimalwareproductsexistwhichattempttodetectmaliciouscodeforthis
platform.Contentbasedattackscanbefilteredbyscanningcapabilitiesintheenterprise.

4.8 Securitypolicyenforcement
Theenforcementofsecuritypolicieswillbeconductedbyvariousoperatingsystemcomponentsand
thirdpartyproducts,baseduponconfigurationfilescontainedinspecificdirectories.Theseinclude
PolicyKitrulesandLightDMsettings,DConfsettings,PackageKitrules,gksusettingsandgksudo
settings.
TheseconfigurationchangescanbemanagedcentrallythroughtheuseofUbuntupackages,which
canbedeployedfromtheSoftwareConfigurationManagementserver.
Settingsappliedbytheadministratorcannotbemodifiedbytheuser.

4.9 Externalinterfaceprotection
Interfacescanbeconfiguredusingstandardplatformconfigurationfiles.
DMAispossiblefromsomeexternalinterfacesincludingFireWireandThunderbolt.Asthisplatform
doesnotcontrolaccessviaDMAitisadvisabletoprocurehardwarewhichdoesnothaveexternal
DMAinterfacespresentifpossible.

4.10 Deviceupdatepolicy
Operatingsystemsecurityupdatescanbeconfiguredtobeautomaticallyapplied.Usingthe
recommendedautomaticsetting,applicationupdatesareinstalledautomaticallywhenthedeviceis

switchedonandfullybooted.KernelupdatesareappliedwhentheuserrestartstheirUbuntu
device.

4.11 Eventcollectionforenterpriseanalysis
BydefaultthemajorityofapplicationsonUbuntuwilluseRSyslogtooutputeventlogs.RSyslogcan
forwardlogstoaremoteserverwhichismostreliablewhenusingTCPortheRELPprotocoland
canbesecuredwithTLSencryption.RSyslogcanalsobeconfiguredtoqueuelogmessageswhen
theremoteserverisunavailableandflushthisqueuetodiskwhenthesystemisshutdown,which
canavoidmessagesbeingdiscardedwhenconnectivitytothecentrallogserverisunavailable.
Additionalauditingcanalsobeperformedwithauditdforspecificeventsofinteresttoan
administrator.

4.12 Incidentresponse
ThereisnonativeremotewipefunctionalityavailableforUbuntu,butremotewipefunctionalitycan
beimplementedwithaconfigurationmanagementsystemsuchasPuppet.Thissystemcouldalso
destroykeymaterialforencryptedharddrivesoruseasecureerasefeatureofthedriveifpresent.
AccesstotheenterprisenetworkcanbepreventedbyrevokingtheVPNclientcertificateassociated
withalostorstolendevice.Additionally,theclientcertificatesforanyotherenterpriseservers(such
asemail)thatarestoredonthedeviceshouldberevoked.

5. Networkarchitecture
CESGrecommendthatforremoteormobileworkingscenarios,organisationsuseaSoftware
ConfigurationManagement(SCM)serviceaspartofatypicalremoteaccessarchitecturebasedon
theWalledGardenArchitecturalPatternasshownbelow.

RecommendednetworkarchitectureforUbuntu14.04LTSdeployments

6. Deploymentprocess
ItispossibletodeployUbuntuwiththerecommendedconfigurationeitherviaaSoftware
ConfigurationManagementserviceortodeploythisconfigurationwiththeinstallandpostinstall
scriptsprovidedwiththisguidance.AnSCMservicecanhelpmanagealargenumberofmachines
withdifferingrequirementsfromacentrallocation,althoughdeployingsimplywithascriptatinstall
timecanbesimplerforsmallerscaledeployments.
IfusingaSoftwareConfigurationManagement(SCM)service,thefollowingstepsshouldbetaken:
1. ProcureandprovisionanSCMserver,suchasPuppetorChef.OptionallyinstallLandscapeas
thesystemmanagementtool.
2. ProduceandprovisionanUbunturepositorymirrorandcustomrepository.Thiscanbeinstalled
onthesamehostastheSoftwareConfigurationManagementserver.
3. InstallandconfigureUbuntu14.04.1LTSx86_64inaccordancewiththerequirementsona
dedicatedsystemforthepurposeofbuildingconfigurationpackages.
4. Createsignedpackagestopushthesecurityconfigurationsettings,anduploadthemtothe
customrepository.UpdatethelistofpackagesintheSoftwareConfigurationManagerbyre
synchronisingwiththerepositoriesifrequired.

7. Provisioningsteps
1. WiththedeviceconfiguredtouseUEFImode,withnosupportforLegacybooting,andSecure
Bootenabled,thedeviceshouldbebootedtothelatestx86_64Ubuntu14.04LTSDesktopLive
CD.
2. AttheGRUBmenu,theTryUbuntuwithoutinstallingoptionshouldbeselected.
3. Oncethedesktophasloaded,installationcanproceedwiththeprovidedinstallationscript(which
canbecopiedfromaUSBstick).Thisscriptwill:
clearanyexistingpartitionsfromthediskandcreateaGUIDPartitionTable(GPT)witha
512MBEFIpartitionatthestartofthediskfollowedbya512MBLinuxNativebootpartition
andtheremainingfreespaceasanencryptedLinuxLogicalVolumeManager(LVM)
partition.
formattheLVMpartitionwithLinuxUnifiedKeySetup(LUKS)toenablediskencryption
withthespecifiedpasswordandopenitreadyforuse.
initialiseandcreateaLogicalVolumeGroupintheLUKSencryptedvolume.
withinthegroup,createvolumesforaswap,/tmp,/homeandroot(/).
launchtheUbiquityinstaller,inwhichthevolumesshouldbeselectedandassociatedwith
thepropermountpointsandsettobeusedasEXT4partitions,withtheexceptionofswap
whichshouldsimplybespecifiedasusedforswapspace.Thebootpartitionshouldalsobe
selectedtomountas/bootandalsobeEXT4.Aftertheinstaller,ContinueTestingshould
beselectedtoallowthescripttofinishitstasks.
createavalid/etc/crypttabinthenewlyinstalledsystem(achievedbymountingthe
relevantpartitions).
withthenewsystemmountedandinachrootenvironmentexecute#updateinitramfs
ukalltoallowLUKStooperatecorrectlyatboot.
4. IfoptingnottouseanSCMservice,thescriptwillapplyasmuchoftherecommended
configurationaspossibleatinstalltime.Thefinalstepscanbeappliedwiththepostinstallscript.
IfusinganSCM,thenewsystemcanbeaddedtoitnowandtherelevantconfigurationpackages
appliedtoit.
5. CreateaVPNcertificateforthedevice,alongwithacertificatefortheintendeduserandcopy
bothofthesetothedeviceoverasecurenetworkconnection.
6. ConfigureStrongSwantoconnecttotheVPNgatewayusingtherelevantprofileandcertificate
files,andthenrestarttheStrongSwandaemon.ExampleStrongSwanconfigurationfilesare
providedwiththisguidancebutthesewillusuallyneedtobecustomisedforthespecific
environment.

8. Policyrecommendations
ThissectiondetailsimportantsecuritypolicysettingswhicharerecommendedforanUbuntu
deployment.Othersettings(egserveraddress)shouldbechosenaccordingtotherelevantnetwork
configuration.

8.1 Secureboot
WhilstSecureBoothardwarecanverifythefirststepofthebootchain,Ubuntudoesnotcontinue
verifyingthebootingsystemsoenablingandconfiguringSecureBootoffersnoadditionalsecurity
benefit.

8.2 Automaticupdates
Automaticupdatesshouldbeenabledbyexecuting#dpkgreconfigureunattendedupgrades
andselectingYes.Alternatively,the/etc/apt/apt.conf.d/20autoupgradesfilecanbe
createdwiththefollowingcontent:

APT::Periodic::UpdatePackageLists"1"
APT::Periodic::UnattendedUpgrade"1"
APT::Periodic::AutocleanInterval"7"

Thedefaultconfigurationwillonlypermitsecurityrelatedupdatestobeautomaticallyinstalled.This
canbechangedbyeditingthe/etc/apt/apt.conf.d/50unattendedupgradesfiletoenable
additionalsourcesforautomaticupdates.
Toenableadditionalnonsecurityautomaticupdates,uncommenttheline
"${distro_id}:${distro_codename}updates";.TheUnattendedUpgrade::Allowed
Originsshouldthencontainthesecurityandupdatesorigins.Notethatsecurityupdates
arealsoaddedtotheupdatesarchiveshortlyafterreleaseinsecurity.
Otherconfigurationsettingsareavailableandaredetailedin/etc/cron.daily/aptand
/etc/apt/apt.conf.d/50unattendedupgrades.

8.3 Softwarerestriction
Aseparatepartitionshouldbecreatedfor/homeandthis,alongwith/run/shmandatmpfs/tmp
directory,shouldbeconfiguredin/etc/fstabtonotallowexecutionofanyfilestheycontain.Users
shouldonlybeabletocreateandeditfilesonthesepartitions.Forexample,thiscouldbeachieved
byadding/homenoexec,nosuid,nodev00,none/tmptmpfsnoexec,nosuid,nodev00
andnone/run/shmtmpfsrw,noexec,nosuid,nodev00to/etc/fstab
Anyadditionallocationsonthefilesystemthatthenonadministratorusercanbothwritetoand
executefromshouldbeidentifiedandlockeddownbychanginggroupmembershipordirectory
permissionswherepossible.
Knownproblematiclocationsona14.04.1LTSinstallconfiguredasperthisguidanceare
/var/crash,/var/metrics,/var/tmpand/home/lightdmdata/<username>.Allbutthelatter
canbeaddressedbyremovingotherwritepermission.Thelightdmdatasubdirectoryhoweveris
manipulatedbyarootlevelLightDMprocesstoalwaysbewritableandexecutablebytheuser,so

insteadcreateareplicalightdmdatadirectoryonthe/homepartition(whichismountedwith
noexec)andcreateasymlinktoausersubdirectorythereasintheexamplebelow:

#mkdir/home/lightdmdata
#chmod755/home/lightdmdata
#mkdir/home/lightdmdata/someuser
#chownsomeuser:lightdm/home/lightdmdata/someuser
#chmod770/home/lightdmdata/someuser
#lns/home/lightdmdata/someuser/var/lib/lightdmdata/someuser

Anyremaininglocations,ifany,shouldbeaddedtothedenyrulesintheAppArmorconfigurationas
shownbelow.Thecommand#find/typedwritablewillidentifydirectorieswhereauser
canwritefileswhenrunasthatuser,wherelocationsonpartitionswhereexecutionisnotpossible
canbeignored.
InstalladditionalAppArmorprofilesandsetonesforsoftwarethatisinstalledintoenforcemode.
Theextraprofilescanbeobtainedbyexecuting#aptgetupdatefollowedby#aptget
installapparmorprofilesapparmorutils.Thenexecutethefollowingtoputspecificprofiles
forsoftwarethatisinstalledintherecommendedconfigurationintoenforcemode:

#aaenforce/etc/apparmor.d/usr.bin.firefox
#aaenforce/etc/apparmor.d/usr.sbin.avahidaemon
#aaenforce/etc/apparmor.d/usr.sbin.dnsmasq
#aaenforce/etc/apparmor.d/bin.ping
#aaenforce/etc/apparmor.d/usr.sbin.rsyslogd

Alsonotethatensuringtheendusersaccountdoesnothavesudoaccessisalsoimportantto
ensurepropersoftwarerestriction.MoredetailsonthiscanbefoundintheUserSetupsection
below.
Ifshellaccessisnotrequireditcanbedisabled.Todothis,beforecreatinganyusers,setthe
defaultshellto/usr/sbin/nologininboth/etc/default/useraddand/etc/adduser.conf.
Thispreventsusersgainingaccesstotheshellviatheconsole,SSH,ortheGUI.

8.4 Usersetup
1. ThedefaultUbuntuinstaller,Ubiquity,willcreateauseraccountduringinstall.Forthe
recommendedconfigurationthisuseraccountshouldbeconsideredtobetheadministratorofthe
systemandnotbeassignedtotheenduserofthedevice.Thisuseraccountwillhavesudo
accesswithwhichitcanperformadministrationtasks.Afterinstall,anotheruseraccountshould
becreatedwithadduserwithdefaultoptions.Thisuseraccountshouldnothavesudoaccess
andthepasswordcanbeprovidedtotheenduserofthedevice.Asafurtherstep,thisuser
accountcanbepreventedfromexecutingthesucommandbyrunning#dpkgstatoverride

updateaddrootadm4750/bin/sutochangethecommandspermissions.Similar
protectioncanalsobeappliedtogksu,gksudo,pkexec,pkconandsoon,asappropriate.
2. DisableguestloginthroughLightDMbycreating/etc/lightdm/lightdm.conf.d/50no
guest.confwiththefollowingcontent(leavingablanklineattheendofthefile):

[SeatDefaults]
allowguest=false

1. Removereadaccesstouserhomedirectoriesandsetamoresecuredefaultumask:
Foranyexistinghomedirectories,usechmod750.
In/etc/adduser.confensuretheDIR_MODE1settingissetto0750.
In/etc/login.defsensurethelineUMASKsettingissetto027.

8.5 Privacy
BydefaultUbuntuhassomefeaturesenabledwhichcanbeaprivacyconcern.Todisablethese
featurestakethefollowingsteps:
1. DisableApporterrorreportingbyensuringthat/etc/default/apportcontainsenabled=0.
2. TopreventwhatistypedintotheDashfromtriggeringonlinesearches,gotoSystemSettings,
Privacy,Search,andsetIncludeonlineresultsinDashtodisabled.Alternatively,online
scopescanbedisabledbyexecuting$gsettingssetcom.canonical.Unity.Lenses
remotecontentsearch'none'and$gsettingssetcom.canonical.Unity.Lenses
disabledscopes"['more_suggestionsamazon.scope','more_suggestions
u1ms.scope','more_suggestionspopulartracks.scope','musicmusicstore.scope',
'more_suggestionsebay.scope','more_suggestionsubuntushop.scope',
'more_suggestionsskimlinks.scope']"
Thesesettingsshouldbelockedsouserscannotunsetthembydoingthefollowingsteps:
Createa/etc/dconf/profile/userfilecontaining:

userdb:user
systemdb:local

Createa/etc/dconf/db/local.d/unityfilecontaining:

[com/canonical/unity/lenses]
remotecontentsearch=false

Createa/etc/dconf/db/local.d/locks/unityfilecontaining:

#DonotallowremotecontentsearchinginUnity
/com/canonical/unity/lenses/remotecontentsearch

Thenrun#dconfupdate.
TheprovidedinstallationscriptrunsthesecommandseachlogonviaaLightDMhooktoensure
suchscopesarealwaysdisabled.

8.6 VPN
StrongSwanVPNiscapableofsupportingthePSNInterimIPsecProfileandthePSNEndState
IPsecprofile.StrongSwanhasnotcompletedtheCESGCPAprocesssoatthistimeitprovides
technical,butnotassured,dataintransitprotection.
RecommendedPSNIPsecprofileconfigurationsummary:

PSNendstateIPsecprofile
ESP
Encryption

AES128inGCM128

IKEv2
Encryption

AES128inGCM128(andoptionallyCBC*)

Pseudorandomfunction

HMACSHA256128

DiffieHellmangroup

256bitrandomECP(RFC5903),Group19

Authentication

ECDSA256withSHA256onP256curve

*IfsupportingCBCforIKEv2encryption,theintegrityalgorithmthatshouldbeusedisHMAC
SHA256128
AsamplestrongSwandefaultsectionfortheaboveis:

conn%default
keyexchange=ikev2
ike=aes128gcm128prfsha256ecp256!
esp=aes128gcm128ecp256!
ikelifetime=60m

lifetime=20m
margintime=3m
keyingtries=%forever
closeaction=restart
dpdaction=restart

PSNinterimIPsecprofile
IKEv1
Encryption

AES128inCBCmode

Pseudorandomfunction

SHA1

DiffieHellmangroup

Group5(1536bits)

Authentication

RSAwithX.509certificates

8.7 Firewall
Thefirewallshouldbeconfiguredtoblockincomingconnections,externalconnectionscanalsobe
limitedtoonlyallowaccesstoprovisionedenterpriseservices.Thiscanbeachievedusinganufw
configurationsuchas:

#ufwlimit22/tcp#LimitincomingSSHconnectionsto6connectionsperIPaddressper30seconds
#ufwenable

RestrictoutgoingaccesssolelytotheVPNserver(172.99.99.2inthisexample):

#ufwallowoutprotoudpto172.99.99.2port500
#ufwallowoutprotoudpto172.99.99.2port4500
#ufwdefaultdenyoutgoing

NormaltrafficwillbeabletoflowdowntheIPsectunneloncethesecurityassociationisestablished
(leftfirewall=yesmustbesetintheStrongSwanconfigurationfile).
InorderforDHCPontheLANtofunction,thismustbeallowed:

#ufwallowoutfromanyport67toanyport68protoudp
#ufwallowoutfromanyport68toanyport67protoudp

Alternativelyformorefinegrainedconfigurations,theiptablespersistentpackagemaybe
used:

#aptgetinstallyiptablespersistent

9. Enterpriseconsiderations
Thefollowingpointsareinadditiontothecommonenterpriseconsiderations,andcontainspecific
issuesforUbuntudeployments.

9.1 Applicationwhitelisting
Ubuntucanbeconfiguredsuchthatuserscannotrunprogramsfromareaswheretheyare
permittedtowritefiles.Thisensuresuserscanonlyaccessprogramsprovisionedbyan
administrator,althoughthisalsopreventsusersfrominstallingpreapprovedsoftwareby
themselves.
Inaddition,itisrecommendedthatusersdonothaveaccesstoscriptinterpreterssuchasPython,
Perl,orshellsincludingbash.AccesstothesecanberestrictedusingacombinationofAppArmor,
filepermissions,andfileattributes.

9.2 Auditing
Auditingcanbeenabledandconfiguredviaanapplicationcalledauditd.Rulescanbeconfigured
whichenableauditingofvarioussystemevents.
Thiscanbeinstalledwiththefollowingcommand:

#aptgetinstallyauditd

Additionalconfigurationisrequiredinorderforauditdtomonitorforevents.Thefollowingexamples
canbeused.

Monitoringchangesandexecutionwithin/tmp
In/etc/audit/rules.d/tmpmonitor.rules,placethefollowingconfiguration:

#Monitorchangesandexecutionswithin/tmp
w/tmp/pwaktmp_write
w/tmp/pxktmp_exec

Monitoringadministratoraccessto/homedirectories
In/etc/audit/rules.d/adminhomewatch.rules,placethefollowingconfiguration:

#Monitoradministratoraccessto/homedirectories
aalways,exitFdir=/home/Fuid=0Cauid!=obj_uidkadmin_user_home

Iffilesarecreatedormodifiedwithin/etc/audit/rules.d/then#augenrulesmustberunto
mergethechangestothemainauditdconfiguration.Oncerun,restartauditdwithserviceauditd
restart
Auditeventsarethenrecordedin/var/log/audit/audit.log.Thisfilecanbeparsedwith
varioustools,suchasaureport.Exampleusageofthiscommandis#aureportinput
/var/log/audit/audit.log
Totesttheaboveconfiguration,thefollowingcommandswilltriggertheauditingrules:

$touch/tmp/audit_test_file
$chmodu+x/tmp/audit_test_file
$/tmp/audit_test_file
$sudoi
#ls/home

Legalinformation
ThisguidanceisissuedbyCESG,theUK'sNationalTechnicalAuthorityonInformationAssurance.
OneoftherolesofCESGistoprovideadvicetoUKgovernmententitiesandorganisations
providingservicestoUKgovernment.Theguidancefoundhereisprovidedandintendedforuseby
thisaudience.Itisprovided'asis'asanexampleofhowspecificrequirementscouldbemet.It
shouldbeusedtohelpinformriskmanagementdecisionsontheuseoftheproductsdescribed,but
itshouldnotbeusedforprocurementdecisionsitisnotintendedtobeexhaustive,itdoesnotact
asanendorsementofanyparticularproductortechnology,anditisnottailoredtoindividualneeds.
Itisnotareplacementforindependent,specialistadvice.Usersshouldensurethattheytake
appropriatetechnicalandlegaladviceinusingthisandotherguidancepublishedbyCESG.This
guidanceisprovidedwithoutanywarrantyofanykind,whetherexpressorimplied.Itisprovided
withoutanyrepresentationastotheaccuracy,completeness,integrity,content,quality,orfitnessfor
purposeofalloranypartofit.CESGcannot,then,acceptanyliabilitywhatsoeverforanylossor
damagesufferedoranycostsincurredbyanypersonasaresultof,orarisingfrom,eitherthe
disclosureofthisguidancetoyou,oryoursubsequentuseofit.ThisguidanceisUKCrown
Copyright.AllRightsReserved.