mediumauditverified ✓rollback-safe
Audit modifications to /etc/passwd
audit-file-passwd · RHEL ≥ 8 · 1 impl
Description
Changes to /etc/passwd must be audited. This file contains user account information critical to system security.
Rationale
Auditing changes to passwd allows detection of unauthorized user account creations, modifications, or deletions.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -w /etc/passwd -p wa -k identity
Remediateaudit_rule_set
- rule:
- -w /etc/passwd -p wa -k identity
- persist_file:
- /etc/audit/rules.d/50-identity.rules
Framework references
STIG
V-258222 / RHEL-09-654240V-230406 / RHEL-08-030150
NIST 800-53
AU-2AU-12AC-6
Live verification
rhel8:checkrhel9:check
#audit#auditd#accounts#passwd