mediumauditverified ✓rollback-safe
Audit execution of privileged commands
audit-privileged-commands · RHEL ≥ 8 · 1 impl
Description
The system must audit all executions of setuid and setgid programs to track privileged command usage.
Rationale
Privileged commands run with elevated permissions and are common targets for attackers. Auditing their execution provides accountability and helps detect unauthorized privilege escalation attempts.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -k execpriv
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
CIS
rhel9 6.3.3.6rhel10 6.3.3.10rhel8 6.3.3.6
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#privileged#suid#sgid#stig