STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The operating system must automatically audit account creation.

DISA Rule

SV-208887r603263_rule

Vulnerability Number

V-208887

Group Title

SRG-OS-000004

Rule Version

OL6-00-000174

Severity

CAT III

CCI(s)

• CCI-000018 - The information system automatically audits account creation actions.

Weight

10

Fix Recommendation

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes

Check Contents

To determine if the system is configured to audit account changes, run the following command:

$ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Vulnerability Number

V-208887

Documentable

False

Rule Version

OL6-00-000174

Severity Override Guidance

To determine if the system is configured to audit account changes, run the following command:

$ sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Check Content Reference

M

Target Key

2928

Comments