mediumauditverified ✓rollback-safe
Audit uses of the gpasswd command
audit-cmd-gpasswd · RHEL ≥ 8 · 1 impl
Description
All uses of the gpasswd command must be audited. The gpasswd command administers group passwords and membership, affecting access controls.
Rationale
Auditing gpasswd command usage allows detection of unauthorized group membership changes that could grant elevated access.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281131 / RHEL-10-500450V-258194 / RHEL-09-654100V-230444
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#gpasswd