mediumauditverified ✓rollback-safe
Audit uses of the setfiles command
audit-cmd-setfiles · RHEL ≥ 8 · 1 impl
Description
All uses of the setfiles command must be audited. The setfiles command sets SELinux file security contexts based on policy.
Rationale
Auditing setfiles usage allows detection of bulk SELinux context changes that could affect system security.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281123 / RHEL-10-500370V-258185 / RHEL-09-654055V-230430
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#selinux