← Back to Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide

V-253025

CAT II (Medium)

TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".

Rule ID

SV-253025r958684_rule

STIG

Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide

Version

V2R5

CCIs

CCI-002130

Discussion

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Auditing account modification actions provides logging that can be used for forensic purposes.

Check Content

Verify TOSS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".

Check the auditing rules in "/etc/audit/audit.rules" with the following command:

$ sudo grep /etc/gshadow /etc/audit/audit.rules

-w /etc/gshadow -p wa -k identity

If the command does not return a line, or the line is commented out, this is a finding.

Fix Text

Configure TOSS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/gshadow".

Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":

-w /etc/gshadow -p wa -k identity

The audit daemon must be restarted for the changes to take effect.