mediumauditverified ✓rollback-safe
Ensure actions as another user are always logged
audit-user-emulation · RHEL ≥ 8 · 1 impl
Description
Actions performed as another user must be logged to maintain accountability.
Rationale
Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -k user_emulation
Remediateaudit_rule_set
- rule:
- -a always,exit -F arch=b64 -C euid!=uid -F auid!=unset -S execve -k user_emulation
- persist_file:
- /etc/audit/rules.d/50-user_emulation.rules
Framework references
CIS
rhel9 6.3.3.2rhel10 6.3.3.2rhel8 6.3.3.2
NIST 800-53
AU-2AU-12
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd