highauditverified ✓rollback-safe
Audit modifications to /etc/shadow
audit-file-shadow · RHEL ≥ 8 · 1 impl
Description
Changes to /etc/shadow must be audited. This file contains encrypted password hashes and account aging information.
Rationale
Auditing changes to shadow allows detection of password hash modifications and account status changes.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -w /etc/shadow -p wa -k identity
Remediateaudit_rule_set
- rule:
- -w /etc/shadow -p wa -k identity
- persist_file:
- /etc/audit/rules.d/50-identity.rules
Framework references
STIG
V-258223 / RHEL-09-654245V-230404 / RHEL-08-030130
NIST 800-53
AU-2AU-12AC-6
Live verification
rhel8:checkrhel9:check
#audit#auditd#accounts#shadow