CCE-92356-5Platform: Amazon Linux | Date: (C)2018-10-29 (M)2022-10-10 |
Record Events that Modify User/Group Information
If the 'auditd' daemon is configured to use the
'augenrules' program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix '.rules' in the
directory '/etc/audit/rules.d', in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
If the 'auditd' daemon is configured to use the 'auditctl'
utility to read audit rules during daemon startup, add the following lines to
'/etc/audit/audit.rules' file, in order to capture events that modify
account changes:
-w /etc/group -p wa -k audit_rules_usergroup_modification
-w /etc/passwd -p wa -k audit_rules_usergroup_modification
-w /etc/gshadow -p wa -k audit_rules_usergroup_modification
-w /etc/shadow -p wa -k audit_rules_usergroup_modification
-w /etc/security/opasswd -p wa -k audit_rules_usergroup_modification
Parameter:
Technical Mechanism:
In addition to auditing new user and group accounts, these watches
will alert the system administrator(s) to any modifications. Any unexpected
users, groups, or modifications should be investigated for legitimacy.
Fix:
No Remediation Info
CCSS Severity: | CCSS Metrics: |
CCSS Score : | Attack Vector: |
Exploit Score: | Attack Complexity: |
Impact Score: | Privileges Required: |
Severity: | User Interaction: |
Vector: | Scope: |
| Confidentiality: |
| Integrity: |
| Availability: |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:48543 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:48753 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:48543 |