← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the userhelper command

audit-cmd-userhelper · RHEL ≥ 8 · 1 impl

Description

All uses of the userhelper command must be audited. The userhelper command is used by graphical user interface tools to change passwords.

Rationale

Auditing userhelper usage allows detection of password changes initiated through graphical interfaces.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281145 / RHEL-10-500590V-258208 / RHEL-09-654170V-230431

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#user