mediumauditverified ✓rollback-safe
Audit uses of the passwd command
audit-cmd-passwd · RHEL ≥ 8 · 1 impl
Description
All uses of the passwd command must be audited. The passwd command changes user passwords which is critical for authentication security.
Rationale
Auditing passwd command usage allows detection of password changes including potential unauthorized modifications.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281135 / RHEL-10-500490V-258198 / RHEL-09-654120V-230422
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#passwd