mediumauditverified ✓rollback-safe
Audit uses of the execve system call
audit-execve · RHEL ≥ 8 · 1 impl
Description
The execve system call must be audited so that all program executions are recorded in the audit log for both 32-bit and 64-bit architectures.
Rationale
Without auditing execve, it is not possible to track what programs are executed on the system. This information is critical for forensic investigations and detecting unauthorized activity.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F arch=b64 -S execve
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
- persist_file:
- /etc/audit/rules.d/50-execve.rules
Framework references
STIG
V-281116 / RHEL-10-500300V-258176 / RHEL-09-654010
NIST 800-53
AU-2AU-12
Live verification
rhel9:check
#audit#auditd#syscall#execve