← Rules Catalog
mediumauditaudit-cmd-shutdown

Audit uses of the shutdown command

All uses of the shutdown command must be recorded by the audit subsystem so privileged availability-affecting actions are attributable.

auditauditdprivileged

Frameworks satisfied

DISA STIG
rhel9: RHEL-09-654320 · V-258214 · CAT II
NIST 800-53
AU-2AU-12
CIS Benchmark
4.1.3.7

Platforms

rhel 9+ubuntu 22+

Check

audit_rule_exists-a always,exit -F path=/usr/sbin/shutdown -F auid>=1000 -F auid!=unset -k privileged

Remediation

audit_rule_setpersisted to /etc/audit/rules.d/50-privileged.rules

Depends on

auditd-enabled