PHTN-67-000044 - The Photon operating system must audit all account modifications - usermod

Information

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to modify an existing account. Auditing account modification actions provides logging that can be used for forensic purposes.

Solution

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines:

-w /usr/sbin/usermod -p x -k usermod
-w /usr/sbin/groupmod -p x -k groupmod

At the command line, execute the following command:

# /sbin/augenrules --load

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CAT|II, CCI|CCI-000172, Rule-ID|SV-251878r816564_rule, STIG-ID|PHTN-67-000044, Vuln-ID|V-251878

Plugin: Unix

Control ID: 31ac146aa1cc1d6604d10486736b611202cf1157f39bfe85461c8a94b071c2e1