← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the init command

audit-cmd-init · RHEL ≥ 9 · 1 impl

Description

All uses of the init command must be audited. The init command controls system runlevel and can be used to shutdown or reboot.

Rationale

Auditing init command usage allows detection of unauthorized system state changes including shutdowns and reboots.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281148 / RHEL-10-500620V-258211 / RHEL-09-654185

NIST 800-53

AU-2AU-12

Live verification

rhel9:check
#audit#auditd#privileged#system