Check: TOSS-04-030000
Tri-Lab Operating System Stack (TOSS) 4 STIG:
TOSS-04-030000
(in versions v2 r1 through v1 r1)
Title
TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow. (Cat II impact)
Discussion
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221
Check Content
Verify TOSS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow." Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/shadow /etc/audit/audit.rules -w /etc/shadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Fix Text
Configure TOSS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow." Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k identity The audit daemon must be restarted for the changes to take effect. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.
Additional Identifiers
Rule ID: SV-252972r958368_rule
Vulnerability ID: V-252972
Group Title: SRG-OS-000004-GPOS-00004
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000018 |
Automatically audit account creation actions. |
| CCI-000172 |
Generate audit records for the event types defined in AU-2 c that include the audit record content defined in AU-3. |
| CCI-001403 |
Automatically audit account modification actions. |
| CCI-001404 |
Automatically audit account disabling actions. |
| CCI-001405 |
Automatically audit account removal actions. |
| CCI-002130 |
Automatically audit account enabling actions. |