STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The operating system must automatically audit account termination.

DISA Rule

SV-208890r603263_rule

Vulnerability Number

V-208890

Group Title

SRG-OS-000241

Rule Version

OL6-00-000177

Severity

CAT III

CCI(s)

• CCI-001405 - The information system automatically audits account removal actions.

Weight

10

Fix Recommendation

Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:

# audit_account_changes
-w /etc/group -p wa -k audit_account_changes
-w /etc/passwd -p wa -k audit_account_changes
-w /etc/gshadow -p wa -k audit_account_changes
-w /etc/shadow -p wa -k audit_account_changes
-w /etc/security/opasswd -p wa -k audit_account_changes

Check Contents

To determine if the system is configured to audit account changes, run the following command:

$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Vulnerability Number

V-208890

Documentable

False

Rule Version

OL6-00-000177

Severity Override Guidance

To determine if the system is configured to audit account changes, run the following command:

$sudo egrep -w '(/etc/passwd|/etc/shadow|/etc/group|/etc/gshadow|/etc/security/opasswd)' /etc/audit/audit.rules

If the system is configured to watch for account changes, lines should be returned for each file specified (and with "-p wa" for each).

If the system is not configured to audit account changes, this is a finding.

Check Content Reference

M

Target Key

2928

Comments