← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the chcon command

audit-cmd-chcon · RHEL ≥ 8 · 1 impl

Description

All uses of the chcon command must be audited. The chcon command changes SELinux security context of files.

Rationale

Auditing chcon usage allows detection of SELinux context changes that could bypass mandatory access controls.

Check → Remediate

Checkcommand
rule=$(auditctl -l 2>/dev/null | grep 'path=/usr/bin/chcon')
if [ -z "$rule" ]; then
  echo "FAIL: no audit rule for /usr/bin/chcon"
  exit 1
fi
if ! echo "$rule" | grep -q 'perm=x'; then
  echo "FAIL: audit rule for /usr/bin/chcon missing perm=x"
  exit 1
fi
echo "OK: /usr/bin/chcon is audited"
expected_exit:
0
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
persist_file:
/etc/audit/rules.d/50-perm_chng.rules

Framework references

CIS

rhel8 6.3.3.15rhel9 6.3.3.15rhel10 6.3.3.27

STIG

V-281121 / RHEL-10-500350V-258183 / RHEL-09-654045V-230419

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd#privileged#selinux