← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the gpasswd command

audit-cmd-gpasswd · RHEL ≥ 8 · 1 impl

Description

All uses of the gpasswd command must be audited. The gpasswd command administers group passwords and membership, affecting access controls.

Rationale

Auditing gpasswd command usage allows detection of unauthorized group membership changes that could grant elevated access.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281131 / RHEL-10-500450V-258194 / RHEL-09-654100V-230444

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#gpasswd