mediumauditverified ✓rollback-safe
Audit uses of the chsh command
audit-cmd-chsh · RHEL ≥ 8 · 1 impl
Description
All uses of the chsh command must be audited. The chsh command changes user login shells which can affect security controls.
Rationale
Auditing chsh command usage allows detection of unauthorized attempts to modify user login shells, potentially bypassing security controls.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281129 / RHEL-10-500430V-258192 / RHEL-09-654090V-230448
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#chsh