mediumauditverified ✓rollback-safe
Audit uses of the setsebool command
audit-cmd-setsebool · RHEL ≥ 8 · 1 impl
Description
All uses of the setsebool command must be audited. The setsebool command changes SELinux boolean values affecting policy behavior.
Rationale
Auditing setsebool usage allows detection of SELinux boolean changes that could relax security restrictions.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/setsebool -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281124 / RHEL-10-500380V-258186 / RHEL-09-654060V-230432
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#selinux