The operating system must automatically audit account termination.
In addition to auditing new user and group accounts, these watches will alert the system administrator(s) to any modifications. Any unexpected users, groups, or modifications should be investigated for legitimacy.
If the system is configured to watch for account changes, lines should be returned for each file specified (and with "perm=wa" for each). If the system is not configured to audit account changes, this is a finding.
Fix Text (F-43486r1_fix)
Add the following to "/etc/audit/audit.rules", in order to capture events that modify account changes:
# audit_account_changes -w /etc/group -p wa -k audit_account_changes -w /etc/passwd -p wa -k audit_account_changes -w /etc/gshadow -p wa -k audit_account_changes -w /etc/shadow -p wa -k audit_account_changes -w /etc/security/opasswd -p wa -k audit_account_changes