Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record.
An XCCDF Rule
Description
Misuse of the init command may cause availability issues for the system.
- ID
- SV-258211r1045418_rule
- Version
- RHEL-09-654185
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "init" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:
-a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init
To load the rules to the kernel immediately, use the following command:
$ sudo augenrules --load