Record Events that Modify User/Group Information - /etc/passwd
An XCCDF Rule
Description
If the auditd
daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules
in the
directory /etc/audit/rules.d
, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
If the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules
file, in order to capture events that modify
account changes:
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
Rationale
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_usergroup_modification_passwd
- Severity
- Medium
- References
-
SRG-OS-000004-GPOS-00004
SRG-OS-000037-GPOS-00015
SRG-OS-000042-GPOS-00020
SRG-OS-000062-GPOS-00031
SRG-OS-000239-GPOS-00089
SRG-OS-000240-GPOS-00090
SRG-OS-000241-GPOS-00091
SRG-OS-000274-GPOS-00104
SRG-OS-000275-GPOS-00105
SRG-OS-000276-GPOS-00106
SRG-OS-000277-GPOS-00107
SRG-OS-000303-GPOS-00120
SRG-OS-000304-GPOS-00121
SRG-OS-000304-GPOS-00121
SRG-OS-000392-GPOS-00172
SRG-OS-000462-GPOS-00206
SRG-OS-000466-GPOS-00210
SRG-OS-000470-GPOS-00214
SRG-OS-000471-GPOS-00215
SRG-OS-000476-GPOS-00221
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83714-6
- CJIS-5.4.1.1
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
# Create a list of audit *.rules files that should be inspected for presence and correctness