← Rules Catalog
highauditverified rollback-safe

Audit modifications to /etc/shadow

audit-file-shadow · RHEL ≥ 8 · 1 impl

Description

Changes to /etc/shadow must be audited. This file contains encrypted password hashes and account aging information.

Rationale

Auditing changes to shadow allows detection of password hash modifications and account status changes.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /etc/shadow -p wa -k identity
Remediateaudit_rule_set
rule:
-w /etc/shadow -p wa -k identity
persist_file:
/etc/audit/rules.d/50-identity.rules

Framework references

STIG

V-258223 / RHEL-09-654245V-230404 / RHEL-08-030130

NIST 800-53

AU-2AU-12AC-6

Live verification

rhel8:checkrhel9:check
#audit#auditd#accounts#shadow