← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit account modifications affecting /etc/passwd (Ubuntu)

audit-usergroup-passwd · UBUNTU ≥ 22 · 1 impl

Description

All account creation, modification, disabling, and termination events that affect /etc/passwd must generate an audit record.

Rationale

Auditing changes to /etc/passwd allows detection of unauthorized account creation, modification, or deletion, supporting forensic investigation.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /etc/passwd -p wa -k usergroup_modification
Remediateaudit_rule_set
rule:
-w /etc/passwd -p wa -k usergroup_modification
persist_file:
/etc/audit/rules.d/50-usergroup-passwd.rules

Framework references

STIG

V-270684 / UBTU-24-200280V-260631 / UBTU-22-654145

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:full
#audit#auditd#accounts#usergroup