Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record.

An XCCDF Rule

Details
Profiles

Description

Misuse of the reboot command may cause availability issues for the system.

ID: SV-258213r1045424_rule
Version: RHEL-09-654195
Severity: Medium
References: CCI-000172
Updated: about 2 months ago

Remediation Templates

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "reboot" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/sbin/reboot -F perm=x -F auid>=1000 -F auid!=unset -k privileged-reboot

To load the rules to the kernel immediately, use the following command:

$ sudo augenrules --load

Successful/unsuccessful uses of the reboot command in RHEL 9 must generate an audit record.

Description

Remediation Templates

A Manual Procedure