← Rules Catalog
mediumauditverified rollback-safe

Ensure events that modify user/group information are collected

audit-identity-change · RHEL ≥ 8 · 1 impl

Description

Changes to user and group identity files must be audited.

Rationale

Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.

Check → Remediate

Checkcommand
missing=""
for f in /etc/group /etc/passwd /etc/gshadow /etc/shadow /etc/security/opasswd; do
  if ! auditctl -l 2>/dev/null | grep -q "\-w $f "; then
    missing="$missing $f"
  fi
done
if [ -n "$missing" ]; then
  echo "FAIL: identity files not watched:$missing"
  exit 1
fi
echo "OK: all identity files are watched"
expected_exit:
0
Remediateaudit_rule_set
rule:
-w /etc/group -p wa -k identity
persist_file:
/etc/audit/rules.d/50-identity.rules

Framework references

CIS

rhel9 6.3.3.8rhel8 6.3.3.8

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd