SV-100425r1_rule
V-89775
SRG-OS-000303-GPOS-00120
VRAU-SL-000995
CAT II
10
Configure "execute" auditing of the "usermod" and "groupmod" executables. Add the following to the /etc/audit/audit.rules file:
-w /usr/sbin/usermod -p x -k usermod
-w /usr/sbin/groupmod -p x -k groupmod
Configure "execute" auditing of the "userdel" and "groupdel" executables. Add the following to the /etc/audit/audit.rules file:
-w /usr/sbin/userdel -p x -k userdel
-w /usr/sbin/groupdel -p x -k groupdel
Configure "execute" auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules:
-w /usr/sbin/useradd -p x -k useradd
-w /usr/sbin/groupadd -p x -k groupadd
Configure "execute" auditing of the "passwd" executable. Add the following to the aud.rules:
-w /usr/bin/passwd -p x -k passwd
Configure "write" auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the /etc/audit/audit.rules file:
-w /etc/passwd -p wa -k passwd
-w /etc/shadow -p wa -k shadow
-w /etc/group -p wa -k group
-w /etc/security/opasswd -p wa -k opasswd
Restart the auditd service:
# service auditd restart
Determine if execution of the "usermod" and "groupmod" executable are audited:
# auditctl -l | egrep '(usermod|groupmod)'
If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of the "userdel" and "groupdel" executable are audited:
# auditctl -l | egrep '(userdel|groupdel)'
If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of "useradd" and "groupadd" are audited:
# auditctl -l | egrep '(useradd|groupadd)'
If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of the "passwd" executable is audited:
# auditctl -l | grep “/usr/bin/passwd”
If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.
Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/security/opasswd are audited for writing:
# auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)'
If any of these are not listed with a permissions filter of at least "w", this is a finding.
V-89775
False
VRAU-SL-000995
Determine if execution of the "usermod" and "groupmod" executable are audited:
# auditctl -l | egrep '(usermod|groupmod)'
If either "usermod" or "groupmod" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of the "userdel" and "groupdel" executable are audited:
# auditctl -l | egrep '(userdel|groupdel)'
If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of "useradd" and "groupadd" are audited:
# auditctl -l | egrep '(useradd|groupadd)'
If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of the "passwd" executable is audited:
# auditctl -l | grep “/usr/bin/passwd”
If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.
Determine if /etc/passwd, /etc/shadow, /etc/group, and /etc/security/opasswd are audited for writing:
# auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)'
If any of these are not listed with a permissions filter of at least "w", this is a finding.
M
3459