mediumauditverified ✓rollback-safe
Audit uses of the poweroff command
audit-cmd-poweroff · RHEL ≥ 9 · 1 impl
Description
All uses of the poweroff command must be audited. The poweroff command halts the system.
Rationale
Auditing poweroff command usage allows detection of unauthorized system shutdowns that could cause service disruption.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281149 / RHEL-10-500630V-258212 / RHEL-09-654190
NIST 800-53
AU-2AU-12
Live verification
rhel9:check
#audit#auditd#privileged#system