SV-99309r1_rule
V-88659
SRG-OS-000304-GPOS-00121
VROM-SL-000975
CAT II
10
Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file:
-w /usr/sbin/usermod -p x -k usermod
-w /usr/sbin/groupmod -p x -k groupmod
Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file:
-w /usr/sbin/userdel -p x -k userdel
-w /usr/sbin/groupdel -p x -k groupdel
Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules:
-w /usr/sbin/useradd -p x -k useradd
-w /usr/sbin/groupadd -p x -k groupadd
Configure execute auditing of the "passwd" executable. Add the following to the aud.rules:
-w /usr/bin/passwd -p x -k passwd
Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file:
-w /etc/passwd -p wa -k passwd
-w /etc/shadow -p wa -k shadow
-w /etc/group -p wa -k group
-w /etc/security/opasswd -p wa -k opasswd
Restart the auditd service:
# service auditd restart
Determine if execution of the "usermod" and "groupmod" executable are audited:
# auditctl -l | egrep '(usermod|groupmod)'
If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of the "userdel" and "groupdel" executable are audited:
# auditctl -l | egrep '(userdel|groupdel)'
If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of "useradd" and "groupadd" are audited:
# auditctl -l | egrep '(useradd|groupadd)'
If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of the "passwd" executable is audited:
# auditctl -l | grep "/usr/bin/passwd"
If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.
Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing:
# auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)'
If any of these are not listed with a permissions filter of at least "w", this is a finding.
V-88659
False
VROM-SL-000975
Determine if execution of the "usermod" and "groupmod" executable are audited:
# auditctl -l | egrep '(usermod|groupmod)'
If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of the "userdel" and "groupdel" executable are audited:
# auditctl -l | egrep '(userdel|groupdel)'
If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of "useradd" and "groupadd" are audited:
# auditctl -l | egrep '(useradd|groupadd)'
If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.
Determine if execution of the "passwd" executable is audited:
# auditctl -l | grep "/usr/bin/passwd"
If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.
Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing:
# auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)'
If any of these are not listed with a permissions filter of at least "w", this is a finding.
M
3461