mediumauditverified ✓rollback-safe
Audit uses of the unix_chkpwd command
audit-cmd-unix-chkpwd · RHEL ≥ 8 · 1 impl
Description
All uses of the unix_chkpwd command must be audited. The unix_chkpwd helper is used by PAM to verify passwords.
Rationale
Auditing unix_chkpwd usage allows detection of password verification attempts that could indicate brute force attacks.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281143 / RHEL-10-500570V-258206 / RHEL-09-654160V-230433
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#pam