← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the chsh command

audit-cmd-chsh · RHEL ≥ 8 · 1 impl

Description

All uses of the chsh command must be audited. The chsh command changes user login shells which can affect security controls.

Rationale

Auditing chsh command usage allows detection of unauthorized attempts to modify user login shells, potentially bypassing security controls.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281129 / RHEL-10-500430V-258192 / RHEL-09-654090V-230448

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#chsh