mediumauditverified ✓rollback-safe
Audit uses of the reboot command
audit-cmd-reboot · RHEL ≥ 9 · 1 impl
Description
All uses of the reboot command must be audited. The reboot command restarts the system.
Rationale
Auditing reboot command usage allows detection of unauthorized system restarts that could cause service disruption.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281150 / RHEL-10-500640V-258213 / RHEL-09-654195
NIST 800-53
AU-2AU-12
Live verification
rhel9:check
#audit#auditd#privileged#system