← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the poweroff command

audit-cmd-poweroff · RHEL ≥ 9 · 1 impl

Description

All uses of the poweroff command must be audited. The poweroff command halts the system.

Rationale

Auditing poweroff command usage allows detection of unauthorized system shutdowns that could cause service disruption.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281149 / RHEL-10-500630V-258212 / RHEL-09-654190

NIST 800-53

AU-2AU-12

Live verification

rhel9:check
#audit#auditd#privileged#system