STIGQter STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 1 Release: 17 Benchmark Date: 25 Oct 2019: The operating system must automatically audit account disabling actions.

DISA Rule

SV-65291r2_rule

Vulnerability Number

V-51083

Group Title

SRG-OS-000240

Rule Version

OL6-00-000176

Severity

CAT III

CCI(s)

Weight

10

Fix Recommendation

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes

Check Contents

To determine if the system is configured to audit account changes, run the following command:

$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Vulnerability Number

V-51083

Documentable

False

Rule Version

OL6-00-000176

Severity Override Guidance

To determine if the system is configured to audit account changes, run the following command:

$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Check Content Reference

M

Target Key

2208

Comments