RHEL-09-654190 - Successful/unsuccessful uses of the poweroff command in RHEL 9 must generate an audit record.

Information

Misuse of the poweroff command may cause availability issues for the system.

Solution

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the 'poweroff' command by adding or updating the following rule in the '/etc/audit/rules.d/audit.rules' file:

-a always,exit -F path=/usr/sbin/poweroff -F perm=x -F auid>=1000 -F auid!=unset -k privileged-poweroff

The audit daemon must be restarted for the changes to take effect.

$ sudo service auditd restart

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R2_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-258212r1014978_rule, STIG-ID|RHEL-09-654190, Vuln-ID|V-258212

Plugin: Unix

Control ID: e6e2297bf2801099343c85fc0f7a221e9c1d056c71c19f70d4ea30e1f19e262f