mediumauditverified ✓rollback-safe
Audit uses of the ssh-keysign command
audit-cmd-ssh-keysign · RHEL ≥ 8 · 1 impl
Description
All uses of the ssh-keysign command must be audited. The ssh-keysign command is used for host-based authentication.
Rationale
Auditing ssh-keysign usage allows detection of host-based SSH authentication attempts that could indicate lateral movement.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281139 / RHEL-10-500530V-258202 / RHEL-09-654140V-230434
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#ssh