Check: RHEL-09-654240
RHEL 9 STIG:
RHEL-09-654240
(in versions v1 r3 through v1 r1)
Title
RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd. (Cat II impact)
Discussion
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000304-GPOS-00121, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000470-GPOS-00214, SRG-OS-000471-GPOS-00215, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221, SRG-OS-000274-GPOS-00104, SRG-OS-000275-GPOS-00105, SRG-OS-000276-GPOS-00106, SRG-OS-000277-GPOS-00107
Check Content
Verify RHEL 9 generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd" with the following command: $ sudo auditctl -l | egrep '(/etc/passwd)' -w /etc/passwd -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding.
Fix Text
Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd". Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/passwd -p wa -k identity The audit daemon must be restarted for the changes to take effect.
Additional Identifiers
Rule ID: SV-258222r926653_rule
Vulnerability ID: V-258222
Group Title: SRG-OS-000004-GPOS-00004
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000018 |
The information system automatically audits account creation actions. |
| CCI-000130 |
The information system generates audit records containing information that establishes what type of event occurred. |
| CCI-000135 |
The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records. |
| CCI-000169 |
The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components. |
| CCI-000172 |
The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3. |
| CCI-001403 |
The information system automatically audits account modification actions. |
| CCI-001404 |
The information system automatically audits account disabling actions. |
| CCI-001405 |
The information system automatically audits account removal actions. |
| CCI-001683 |
The information system notifies organization-defined personnel or roles for account creation actions. |
| CCI-001684 |
The information system notifies organization-defined personnel or roles for account modification actions. |
| CCI-001685 |
The information system notifies organization-defined personnel or roles for account disabling actions. |
| CCI-001686 |
The information system notifies organization-defined personnel or roles for account removal actions. |
| CCI-002130 |
The information system automatically audits account enabling actions. |
| CCI-002132 |
The information system notifies organization-defined personnel or roles for account enabling actions. |
| CCI-002884 |
The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events. |