MEDIUM M17: Privileged Commands Audit P3

Verified Compare Branch

Overview

Audits execution of privileged commands (setuid/setgid binaries) including su, sudo, mount, passwd, and other security-sensitive executables. Tracks privilege escalation and administrative actions.

Profile: NIST 800-53 Moderate (rhcos4-moderate)

Compliance Checks

Check Description
at Audit at command execution
chage Audit password aging changes
chsh Audit shell changes
crontab Audit crontab modifications
gpasswd Audit group password changes
mount Audit mount operations
newgidmap Audit GID map changes
newgrp Audit group membership changes
newuidmap Audit UID map changes
pam-timestamp-check Audit PAM timestamp checks
passwd Audit password changes
postdrop Audit postfix mail drop
postqueue Audit postfix mail queue
pt-chown Audit pseudo-terminal ownership
ssh-keysign Audit SSH key signing
su Audit su command execution
sudo Audit sudo command execution
sudoedit Audit sudoedit execution
umount Audit unmount operations
unix-chkpwd Audit password verification
userhelper Audit userhelper execution
usernetctl Audit network control changes

Verification

oc debug node/<node> -- chroot /host auditctl -l | grep -c privileged
← M16 All Groups M18 →
Legend
Status
🔵 In Progress
🟡 Pending
⚪ On Hold
🟢 Complete
Severity
HIGH
MEDIUM
LOW
MANUAL

Keyboard Shortcuts

Navigation
j / Next row
k / Previous row
Enter Open selected / Expand details
Esc Clear selection / Close modal
Actions
/ Focus search
d Toggle dark mode
? Show this help
g h Go to home
Filters
1 Show all
2 Pending only
3 In Progress only
4 Complete only