mediumauditverified ✓rollback-safe
Audit uses of the init command
audit-cmd-init · RHEL ≥ 9 · 1 impl
Description
All uses of the init command must be audited. The init command controls system runlevel and can be used to shutdown or reboot.
Rationale
Auditing init command usage allows detection of unauthorized system state changes including shutdowns and reboots.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281148 / RHEL-10-500620V-258211 / RHEL-09-654185
NIST 800-53
AU-2AU-12
Live verification
rhel9:check
#audit#auditd#privileged#system