← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the passwd command

audit-cmd-passwd · RHEL ≥ 8 · 1 impl

Description

All uses of the passwd command must be audited. The passwd command changes user passwords which is critical for authentication security.

Rationale

Auditing passwd command usage allows detection of password changes including potential unauthorized modifications.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281135 / RHEL-10-500490V-258198 / RHEL-09-654120V-230422

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#passwd