← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the setsebool command

audit-cmd-setsebool · RHEL ≥ 8 · 1 impl

Description

All uses of the setsebool command must be audited. The setsebool command changes SELinux boolean values affecting policy behavior.

Rationale

Auditing setsebool usage allows detection of SELinux boolean changes that could relax security restrictions.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281124 / RHEL-10-500380V-258186 / RHEL-09-654060V-230432

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#selinux