← Rules Catalog
mediumauditverified rollback-safe

Audit user and group modifications

audit-user-group-changes · RHEL ≥ 8 · 1 impl

Description

Changes to user and group identity files must be audited. This includes modifications to /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow.

Rationale

Auditing changes to identity files allows detection of unauthorized account creation, privilege escalation, or account manipulation.

Check → Remediate

Checkcommand
auditctl -l 2>/dev/null | grep -q '^-w /etc/passwd.*-p wa' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/shadow.*-p wa' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/group.*-p wa' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/gshadow.*-p wa' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/security/opasswd.*-p wa' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/sudoers.*-p wa' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/sudoers\.d.*-p wa'
expected_exit:
0
Remediateaudit_rule_set
rule:
-w /etc/passwd -p wa -k identity
persist_file:
/etc/audit/rules.d/50-identity.rules

Framework references

STIG

V-258219 / RHEL-09-654225V-258220 / RHEL-09-654230V-230408 / RHEL-08-030170V-230407 / RHEL-08-030160

NIST 800-53

AU-2AU-12AC-2

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd#identity