5.3.8 Record Events That Modify User/Group Information '/etc/security/opasswd'

Information

Configuration Level : Level-II

Solution

Add the following lines to the /etc/audit/audit.rules file.-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Execute the following command to restart auditd
# pkill -P 1-HUP auditd

See Also

https://workbench.cisecurity.org/files/214

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CCE|CCE-14829-6

Plugin: Unix

Control ID: 553da38f61bfc032ec2545de53121b5d16b2b10af89d06313fb98e4411b1859c