mediumauditverified ✓rollback-safe
Audit uses of the usermod command
audit-cmd-usermod · RHEL ≥ 8 · 1 impl
Description
All uses of the usermod command must be audited. The usermod command modifies user account properties including group memberships.
Rationale
Auditing usermod usage allows detection of unauthorized user account modifications that could grant elevated access.
Check → Remediate
Checkcommand
rule=$(auditctl -l 2>/dev/null | grep 'path=/usr/sbin/usermod') if [ -z "$rule" ]; then echo "FAIL: no audit rule for /usr/sbin/usermod" exit 1 fi if ! echo "$rule" | grep -q 'perm=x'; then echo "FAIL: audit rule for /usr/sbin/usermod missing perm=x" exit 1 fi echo "OK: /usr/sbin/usermod is audited"
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
CIS
rhel8 6.3.3.18rhel9 6.3.3.18rhel10 6.3.3.30
STIG
V-281146 / RHEL-10-500600V-258209 / RHEL-09-654175V-230463
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#privileged#user