← Rules Catalog
mediumauditverified rollback-safe

Ensure actions as another user are always logged

audit-user-emulation · RHEL ≥ 8 · 1 impl

Description

Actions performed as another user must be logged to maintain accountability.

Rationale

Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.

Check → Remediate

Checkaudit_rule_exists
rule:
-k user_emulation
Remediateaudit_rule_set
rule:
-a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
persist_file:
/etc/audit/rules.d/50-user_emulation.rules

Framework references

CIS

rhel9 6.3.3.2rhel10 6.3.3.2rhel8 6.3.3.2

NIST 800-53

AU-2AU-12

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd