The HYCU virtual appliance must automatically audit account removal actions.

Quick Actions

We are continuing to improve Stigviewer and we are planning on rolling out new services in the near future. Would you like to be part of the conversation on what those features should be? If so, click here.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-268234	HYCU-ND-000160	SV-268234r1038654_rule		Medium

Description

Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.

STIG	Date
HYCU Protege Security Technical Implementation Guide	2024-10-29

Details

Check Text (C-72255r1038400_chk)

Verify the operating system generates audit records for all account removal events.

Check the auditing rules in "/etc/audit/audit.rules" with the following command:
# grep -E "/etc/passwd|/etc/gshadow|/etc/shadow|/etc/security/opasswd|/etc/group|/etc/sudoers|/etc/sudoers.d/" /etc/audit/audit.rules

-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity

If the command does not return all the lines above, or one or more of the lines are commented out, this is a finding.

Fix Text (F-72158r1038653_fix)

Log in to the HYCU VM console and load the STIG audit rules by using the following commands:

1. cp /usr/share/audit/sample-rules/10-base-config.rules /usr/share/audit/sample-rules/30-stig.rules /usr/share/audit/sample-rules/31-privileged.rules /usr/share/audit/sample-rules/99-finalize.rules /etc/audit/rules.d/

2. augenrules --load

STIG VIEWER