← Back to HYCU Protege Security Technical Implementation Guide

V-268233

CAT II (Medium)

The HYCU virtual appliance must automatically audit account disabling actions.

Rule ID

SV-268233r1038652_rule

STIG

HYCU Protege Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001404

Discussion

Account management ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account disabling actions will support account management procedures. When device management accounts are disabled, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.

Check Content

Verify the operating system must generate audit records for all account disabling events.

Check the auditing rules in "/etc/audit/audit.rules" with the following command:
# grep -E "/etc/passwd|/etc/gshadow|/etc/shadow|/etc/security/opasswd|/etc/group|/etc/sudoers|/etc/sudoers.d/" /etc/audit/audit.rules

-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity

If the command does not return all the lines above, or one or more of the lines are commented out, this is a finding.

Fix Text

Log in to the HYCU VM console and load the STIG audit rules by using the following commands:

1. cp /usr/share/audit/sample-rules/10-base-config.rules /usr/share/audit/sample-rules/30-stig.rules /usr/share/audit/sample-rules/31-privileged.rules /usr/share/audit/sample-rules/99-finalize.rules /etc/audit/rules.d/

2. augenrules --load