TOSS must generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-253026 | TOSS-04-030810 | SV-253026r958684_rule | CCI-002130 | medium |
| Description | ||||
| Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to enable a new or disabled account. Auditing account modification actions provides logging that can be used for forensic purposes. | ||||
| STIG | Date | |||
| Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide | 2025-05-08 | |||
Details
Check Text (C-253026r958684_chk)
Verify TOSS generates audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
Check the auditing rules in "/etc/audit/audit.rules" with the following command:
$ sudo grep /etc/passwd /etc/audit/audit.rules
-w /etc/passwd -p wa -k identity
If the command does not return a line, or the line is commented out, this is a finding.
Fix Text (F-56429r825988_fix)
Configure TOSS to generate audit records for all account creations, modifications, disabling, and termination events that affect "/etc/passwd".
Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":
-w /etc/passwd -p wa -k identity
The audit daemon must be restarted for the changes to take effect.