← Rules Catalog
mediumauditverified rollback-safe

Audit modifications to /etc/passwd

audit-file-passwd · RHEL ≥ 8 · 1 impl

Description

Changes to /etc/passwd must be audited. This file contains user account information critical to system security.

Rationale

Auditing changes to passwd allows detection of unauthorized user account creations, modifications, or deletions.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /etc/passwd -p wa -k identity
Remediateaudit_rule_set
rule:
-w /etc/passwd -p wa -k identity
persist_file:
/etc/audit/rules.d/50-identity.rules

Framework references

STIG

V-258222 / RHEL-09-654240V-230406 / RHEL-08-030150

NIST 800-53

AU-2AU-12AC-6

Live verification

rhel8:checkrhel9:check
#audit#auditd#accounts#passwd