← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the usermod command

audit-cmd-usermod · RHEL ≥ 8 · 1 impl

Description

All uses of the usermod command must be audited. The usermod command modifies user account properties including group memberships.

Rationale

Auditing usermod usage allows detection of unauthorized user account modifications that could grant elevated access.

Check → Remediate

Checkcommand
rule=$(auditctl -l 2>/dev/null | grep 'path=/usr/sbin/usermod')
if [ -z "$rule" ]; then
  echo "FAIL: no audit rule for /usr/sbin/usermod"
  exit 1
fi
if ! echo "$rule" | grep -q 'perm=x'; then
  echo "FAIL: audit rule for /usr/sbin/usermod missing perm=x"
  exit 1
fi
echo "OK: /usr/sbin/usermod is audited"
expected_exit:
0
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

CIS

rhel8 6.3.3.18rhel9 6.3.3.18rhel10 6.3.3.30

STIG

V-281146 / RHEL-10-500600V-258209 / RHEL-09-654175V-230463

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd#privileged#user