mediumauditverified ✓rollback-safe
Audit user and group modifications
audit-user-group-changes · RHEL ≥ 8 · 1 impl
Description
Changes to user and group identity files must be audited. This includes modifications to /etc/passwd, /etc/shadow, /etc/group, and /etc/gshadow.
Rationale
Auditing changes to identity files allows detection of unauthorized account creation, privilege escalation, or account manipulation.
Check → Remediate
Checkcommand
auditctl -l 2>/dev/null | grep -q '^-w /etc/passwd.*-p wa' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/shadow.*-p wa' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/group.*-p wa' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/gshadow.*-p wa' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/security/opasswd.*-p wa' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/sudoers.*-p wa' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/sudoers\.d.*-p wa'
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -w /etc/passwd -p wa -k identity
- persist_file:
- /etc/audit/rules.d/50-identity.rules
Framework references
STIG
V-258219 / RHEL-09-654225V-258220 / RHEL-09-654230V-230408 / RHEL-08-030170V-230407 / RHEL-08-030160
NIST 800-53
AU-2AU-12AC-2
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#identity