Ensure auditd Collects Information on the Use of Privileged Commands - reboot

Description

At a minimum, the audit system should collect the execution of privileged commands for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add a line of the following form to a file with suffix .rules in the directory /etc/audit/rules.d:

-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged

If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add a line of the following form to /etc/audit/audit.rules:

-a always,exit -F path=/usr/sbin/reboot -F auid>=1000 -F auid!=unset -F key=privileged

Rationale

Misuse of the reboot command may cause availability issues for the system.

ID: xccdf_org.ssgproject.content_rule_audit_privileged_commands_reboot
Severity: Medium
References: CCI-000172

AU-12(c)

SRG-OS-000477-GPOS-00222
Updated: about 1 year ago