mediumauditverified ✓rollback-safe
Audit uses of the chcon command
audit-cmd-chcon · RHEL ≥ 8 · 1 impl
Description
All uses of the chcon command must be audited. The chcon command changes SELinux security context of files.
Rationale
Auditing chcon usage allows detection of SELinux context changes that could bypass mandatory access controls.
Check → Remediate
Checkcommand
rule=$(auditctl -l 2>/dev/null | grep 'path=/usr/bin/chcon') if [ -z "$rule" ]; then echo "FAIL: no audit rule for /usr/bin/chcon" exit 1 fi if ! echo "$rule" | grep -q 'perm=x'; then echo "FAIL: audit rule for /usr/bin/chcon missing perm=x" exit 1 fi echo "OK: /usr/bin/chcon is audited"
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/chcon -F perm=x -F auid>=1000 -F auid!=unset -k perm_chng
- persist_file:
- /etc/audit/rules.d/50-perm_chng.rules
Framework references
CIS
rhel8 6.3.3.15rhel9 6.3.3.15rhel10 6.3.3.27
STIG
V-281121 / RHEL-10-500350V-258183 / RHEL-09-654045V-230419
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#privileged#selinux