← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the su command

audit-cmd-su · RHEL ≥ 8 · 1 impl

Description

All uses of the su command must be audited. The su command allows users to switch to another user identity.

Rationale

Auditing su command usage allows detection of identity changes and potential privilege escalation attempts.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281140 / RHEL-10-500540V-258203 / RHEL-09-654145V-230412

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#su