Title

The HYCU virtual appliance must automatically audit account removal actions. (Cat II impact)

Discussion

Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.

Check Content

Verify the operating system generates audit records for all account removal events. Check the auditing rules in "/etc/audit/audit.rules" with the following command: # grep -E "/etc/passwd|/etc/gshadow|/etc/shadow|/etc/security/opasswd|/etc/group|/etc/sudoers|/etc/sudoers.d/" /etc/audit/audit.rules -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -w /etc/group -p wa -k identity -w /etc/sudoers -p wa -k identity -w /etc/sudoers.d/ -p wa -k identity If the command does not return all the lines above, or one or more of the lines are commented out, this is a finding.

Fix Text

Log in to the HYCU VM console and load the STIG audit rules by using the following commands: 1. cp /usr/share/audit/sample-rules/10-base-config.rules /usr/share/audit/sample-rules/30-stig.rules /usr/share/audit/sample-rules/31-privileged.rules /usr/share/audit/sample-rules/99-finalize.rules /etc/audit/rules.d/ 2. augenrules --load

Additional Identifiers

Rule ID: SV-268234r1038654_rule

Vulnerability ID: V-268234

Group Title: SRG-APP-000029-NDM-000211

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.