Title

The operating system must automatically audit account modification. (Cat III impact)

Discussion

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Check Content

To determine if the system is configured to audit account changes, run the following command: $sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each). If the system is not configured to audit account changes, this is a finding.

Fix Text

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes: # audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes

Additional Identifiers

Rule ID: SV-217957r603264_rule

Vulnerability ID: V-217957

Group Title: SRG-OS-000239

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.