5.3.8 Record Events That Modify User/Group Information '/etc/shadow'
Information
Configuration Level : Level-II
Solution
Add the following lines to the /etc/audit/audit.rules file.-w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity # Execute the following command to restart auditd # pkill -P 1-HUP auditd