UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The audit system must be configured to audit account creation and modification.


Overview

Finding ID Version Rule ID IA Controls Severity
RHEL-06-000176 RHEL-06-000176 RHEL-06-000176_rule Low
Description
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2013-02-05

Details

Check Text ( C-RHEL-06-000176_chk )
To determine if the system is configured to audit account changes, run the following command:

auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)'

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "perm=wa" for each).
If the system is not configured to audit account changes, this is a finding.
Fix Text (F-RHEL-06-000176_fix)
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes