RHEL-06-000176 - The operating system must automatically audit account disabling actions - /etc/shadow.

Information

In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.

Solution

Add the following to '/etc/audit/audit.rules', in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(4), CAT|III, CCI|CCI-001404, Rule-ID|SV-217958r603264_rule, STIG-ID|RHEL-06-000176, STIG-Legacy|SV-50337, STIG-Legacy|V-38536, Vuln-ID|V-217958

Plugin: Unix

Control ID: 5eb2306797a758e1ca7914a5d66e3753ad3bc30a1335022bd086918110e525e7