TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-252972	TOSS-04-030000	SV-252972r958368_rule		Medium

Description
Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

Description

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000466-GPOS-00210, SRG-OS-000476-GPOS-00221

STIG	Date
Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide	2024-05-30

Details

Check Text ( C-56425r824238_chk )
Verify TOSS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow." Check the auditing rules in "/etc/audit/audit.rules" with the following command: $ sudo grep /etc/shadow /etc/audit/audit.rules -w /etc/shadow -p wa -k identity If the command does not return a line, or the line is commented out, this is a finding. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Check Text ( C-56425r824238_chk )

Verify TOSS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow."

Check the auditing rules in "/etc/audit/audit.rules" with the following command:

$ sudo grep /etc/shadow /etc/audit/audit.rules
-w /etc/shadow -p wa -k identity

If the command does not return a line, or the line is commented out, this is a finding.

Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix Text (F-56375r824239_fix)
Configure TOSS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow." Add or update the following file system rule to "/etc/audit/rules.d/audit.rules": -w /etc/shadow -p wa -k identity The audit daemon must be restarted for the changes to take effect. Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.

Fix Text (F-56375r824239_fix)

Configure TOSS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/shadow."

Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":

-w /etc/shadow -p wa -k identity

The audit daemon must be restarted for the changes to take effect.

Note: The "-k" allows for specifying an arbitrary identifier. The string following "-k" does not need to match the example output above.