← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the semanage command

audit-cmd-semanage · RHEL ≥ 8 · 1 impl

Description

All uses of the semanage command must be audited. The semanage command manages SELinux policy components.

Rationale

Auditing semanage usage allows detection of SELinux policy changes that could weaken mandatory access controls.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/semanage -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281122 / RHEL-10-500360V-258184 / RHEL-09-654050V-230429

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#selinux