Check: OL6-00-000175
Oracle Linux 6 STIG:
OL6-00-000175
(in versions v2 r7 through v1 r9)
Title
The operating system must automatically audit account modification. (Cat III impact)
Discussion
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
Check Content
To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.
Fix Text
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes
Additional Identifiers
Rule ID: SV-208888r793673_rule
Vulnerability ID: V-208888
Group Title: SRG-OS-000239
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001403 |
The information system automatically audits account modification actions. |
Controls
Number | Title |
---|---|
AC-2 (4) |
Automated Audit Actions |