← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the setfiles command

audit-cmd-setfiles · RHEL ≥ 8 · 1 impl

Description

All uses of the setfiles command must be audited. The setfiles command sets SELinux file security contexts based on policy.

Rationale

Auditing setfiles usage allows detection of bulk SELinux context changes that could affect system security.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/setfiles -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281123 / RHEL-10-500370V-258185 / RHEL-09-654055V-230430

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#selinux