Check: RHEL-09-654185
RHEL 9 STIG:
RHEL-09-654185
(in versions v1 r3 through v1 r1)
Title
Successful/unsuccessful uses of the init command in RHEL 9 must generate an audit record. (Cat II impact)
Discussion
Misuse of the init command may cause availability issues for the system.
Check Content
Verify that RHEL 9 is configured to audit the execution of the "init" command with the following command: $ sudo auditctl -l | grep init -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init If the command does not return a line, or the line is commented out, this is a finding.
Fix Text
Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "init" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file: -a always,exit -F path=/usr/sbin/init -F perm=x -F auid>=1000 -F auid!=unset -k privileged-init The audit daemon must be restarted for the changes to take effect.
Additional Identifiers
Rule ID: SV-258211r926620_rule
Vulnerability ID: V-258211
Group Title: SRG-OS-000477-GPOS-00222
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
Controls
Number | Title |
---|---|
AU-12 |
Audit Generation |