← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the chage command

audit-cmd-chage · RHEL ≥ 8 · 1 impl

Description

All uses of the chage command must be audited. The chage command modifies password aging information and can affect account security.

Rationale

Auditing chage command usage allows detection of unauthorized attempts to modify password aging policies for user accounts.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281128 / RHEL-10-500420V-258191 / RHEL-09-654085V-230418

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#chage