mediumauditverified ✓rollback-safe
Audit uses of the semanage command
audit-cmd-semanage · RHEL ≥ 8 · 1 impl
Description
All uses of the semanage command must be audited. The semanage command manages SELinux policy components.
Rationale
Auditing semanage usage allows detection of SELinux policy changes that could weaken mandatory access controls.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281122 / RHEL-10-500360V-258184 / RHEL-09-654050V-230429
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#selinux