mediumauditverified ✓rollback-safe
Audit uses of the su command
audit-cmd-su · RHEL ≥ 8 · 1 impl
Description
All uses of the su command must be audited. The su command allows users to switch to another user identity.
Rationale
Auditing su command usage allows detection of identity changes and potential privilege escalation attempts.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281140 / RHEL-10-500540V-258203 / RHEL-09-654145V-230412
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#su