Check: RHEL-09-654240
RHEL 9 STIG:
RHEL-09-654240
(in versions v2 r3 through v1 r1)
Title
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. (Cat II impact)
Discussion
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107
Check Content
Verify RHEL 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: $ sudo auditctl -l | egrep '(/etc/passwd)' -w /etc/passwd -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix Text
Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Additional Identifiers
Rule ID: SV-258222r1015133_rule
Vulnerability ID: V-258222
Group Title: SRG-OS-000004-GPOS-00004
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000015 |
Support the management of system accounts using organization-defined automated mechanisms. |
| CCI-000018 |
Automatically audit account creation actions. |
| CCI-000130 |
Ensure that audit records contain information that establishes what type of event occurred. |
| CCI-000135 |
Generate audit records containing the organization-defined additional information that is to be included in the audit records. |
| CCI-000169 |
Provide audit record generation capability for the event types the system is capable of auditing as defined in AU-2 a on organization-defined information system components. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-001403 |
Automatically audit account modification actions. |
| CCI-001404 |
Automatically audit account disabling actions. |
| CCI-001405 |
Automatically audit account removal actions. |
| CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
| CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
| CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
| CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
| CCI-002130 |
Automatically audit account enabling actions. |
| CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
| CCI-002884 |
Log organization-defined audit events for nonlocal maintenance and diagnostic sessions. |