mediumauditverified ✓rollback-safe
Audit uses of the userhelper command
audit-cmd-userhelper · RHEL ≥ 8 · 1 impl
Description
All uses of the userhelper command must be audited. The userhelper command is used by graphical user interface tools to change passwords.
Rationale
Auditing userhelper usage allows detection of password changes initiated through graphical interfaces.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/userhelper -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281145 / RHEL-10-500590V-258208 / RHEL-09-654170V-230431
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#user