mediumauditverified ✓rollback-safe
Audit uses of the chage command
audit-cmd-chage · RHEL ≥ 8 · 1 impl
Description
All uses of the chage command must be audited. The chage command modifies password aging information and can affect account security.
Rationale
Auditing chage command usage allows detection of unauthorized attempts to modify password aging policies for user accounts.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281128 / RHEL-10-500420V-258191 / RHEL-09-654085V-230418
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#chage