Check: OL6-00-000174
Oracle Linux 6 STIG:
OL6-00-000174
(in versions v2 r7 through v1 r9)
Title
The operating system must automatically audit account creation. (Cat III impact)
Discussion
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Check Content
To determine if the system is configured to audit account changes, run the following command: $ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Fix Text
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
Additional Identifiers
Rule ID: SV-208887r793672_rule
Vulnerability ID: V-208887
Group Title: SRG-OS-000004
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000018 |
The information system automatically audits account creation actions. |
Controls
Number | Title |
---|---|
AC-2 (4) |
Automated Audit Actions |