Ensure auditd Collects Information on the Use of Privileged Commands - poweroff
An XCCDF Rule
Description
At a minimum, the audit system should collect the execution of
privileged commands for all users and root. If the auditd
daemon is
configured to use the augenrules
program to read audit rules during
daemon startup (the default), add a line of the following form to a file with
suffix .rules
in the directory /etc/audit/rules.d
:
-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privilegedIf the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add a line of the following
form to /etc/audit/audit.rules
:
-a always,exit -F path=/usr/sbin/poweroff -F auid>=1000 -F auid!=unset -F key=privileged
Rationale
Misuse of the poweroff command may cause availability issues for the system.
- ID
- xccdf_org.ssgproject.content_rule_audit_privileged_commands_poweroff
- Severity
- Medium
- References
- Updated