PHTN-67-000047 - The Photon operating system must audit all account removal actions - userdel

Information

When operating system accounts are removed, user accessibility is affected. Accounts are used for identifying individual users or the operating system processes themselves. To detect and respond to events affecting user accessibility and system processing, operating systems must audit account removal actions.

Solution

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines:

-w /usr/sbin/userdel -p x -k userdel
-w /usr/sbin/groupdel -p x -k groupdel

At the command line, execute the following command:

# /sbin/augenrules --load

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(4), CAT|II, CCI|CCI-001405, Rule-ID|SV-239118r816634_rule, STIG-ID|PHTN-67-000047, Vuln-ID|V-239118

Plugin: Unix

Control ID: d84ea8de5e7b99129e77ee5e6c60e89c7f936f0dc9e02af433e6010b62cb8cbf