← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the execve system call

audit-execve · RHEL ≥ 8 · 1 impl

Description

The execve system call must be audited so that all program executions are recorded in the audit log for both 32-bit and 64-bit architectures.

Rationale

Without auditing execve, it is not possible to track what programs are executed on the system. This information is critical for forensic investigations and detecting unauthorized activity.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F arch=b64 -S execve
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
persist_file:
/etc/audit/rules.d/50-execve.rules

Framework references

STIG

V-281116 / RHEL-10-500300V-258176 / RHEL-09-654010

NIST 800-53

AU-2AU-12

Live verification

rhel9:check
#audit#auditd#syscall#execve