Detections
Analytics

1.430 RHEL-09-654200

Information

Successful/unsuccessful uses of the shutdown command in RHEL 9 must generate an audit record.

GROUP ID: V-258214
RULE ID: SV-258214r1045427

Misuse of the shutdown command may cause availability issues for the system.

Solution

Configure the audit system to generate an audit event for any successful/unsuccessful uses of the "shutdown" command by adding or updating the following rule in the "/etc/audit/rules.d/audit.rules" file:

-a always,exit -F path=/usr/sbin/shutdown -F perm=x -F auid>=1000 -F auid!=unset -k privileged-shutdown

To load the rules to the kernel immediately, use the following command:

$ sudo augenrules --load

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-258214r1045427_rule, STIG-ID|RHEL-09-654200, Vuln-ID|V-258214

Plugin: Unix

Control ID: b530e54ed4ad6f41452e73a33d21b8390e9c762d7f19bdee9ea0e9642e6cde1c