← Rules Catalog
mediumauditverified rollback-safe

Audit execution of privileged commands

audit-privileged-commands · RHEL ≥ 8 · 1 impl

Description

The system must audit all executions of setuid and setgid programs to track privileged command usage.

Rationale

Privileged commands run with elevated permissions and are common targets for attackers. Auditing their execution provides accountability and helps detect unauthorized privilege escalation attempts.

Check → Remediate

Checkaudit_rule_exists
rule:
-k execpriv
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -k execpriv
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

CIS

rhel9 6.3.3.6rhel10 6.3.3.10rhel8 6.3.3.6

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#privileged#suid#sgid#stig