mediumauditverified ✓rollback-safe
Ensure events that modify user/group information are collected
audit-identity-change · RHEL ≥ 8 · 1 impl
Description
Changes to user and group identity files must be audited.
Rationale
Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.
Check → Remediate
Checkcommand
missing=""
for f in /etc/group /etc/passwd /etc/gshadow /etc/shadow /etc/security/opasswd; do
if ! auditctl -l 2>/dev/null | grep -q "\-w $f "; then
missing="$missing $f"
fi
done
if [ -n "$missing" ]; then
echo "FAIL: identity files not watched:$missing"
exit 1
fi
echo "OK: all identity files are watched"
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -w /etc/group -p wa -k identity
- persist_file:
- /etc/audit/rules.d/50-identity.rules
Framework references
CIS
rhel9 6.3.3.8rhel8 6.3.3.8
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd