← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the ssh-keysign command

audit-cmd-ssh-keysign · RHEL ≥ 8 · 1 impl

Description

All uses of the ssh-keysign command must be audited. The ssh-keysign command is used for host-based authentication.

Rationale

Auditing ssh-keysign usage allows detection of host-based SSH authentication attempts that could indicate lateral movement.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281139 / RHEL-10-500530V-258202 / RHEL-09-654140V-230434

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#ssh