← Rules Catalog
mediumauditverified rollback-safe

Audit modifications to /etc/security/opasswd

audit-file-opasswd · RHEL ≥ 8 · 1 impl

Description

Changes to /etc/security/opasswd must be audited. This file stores password history used to prevent password reuse.

Rationale

Auditing changes to opasswd allows detection of attempts to manipulate password history and bypass password reuse restrictions.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /etc/security/opasswd -p wa -k identity
Remediateaudit_rule_set
rule:
-w /etc/security/opasswd -p wa -k identity
persist_file:
/etc/audit/rules.d/50-identity.rules

Framework references

STIG

V-258221 / RHEL-09-654235V-230405 / RHEL-08-030140

NIST 800-53

AU-2AU-12AC-6

Live verification

rhel8:checkrhel9:check
#audit#auditd#password#opasswd