mediumauditverified ✓rollback-safe
Audit uses of the pam_timestamp_check command
audit-cmd-pam-timestamp-check · RHEL ≥ 8 · 1 impl
Description
All uses of the pam_timestamp_check command must be audited. This command checks PAM timestamps for cached authentication credentials.
Rationale
Auditing pam_timestamp_check usage allows detection of attempts to manipulate or verify cached authentication credentials.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281134 / RHEL-10-500480V-258197 / RHEL-09-654115V-230436
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#pam