The SUSE operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow.

STIG ID: SLES-12-020220  |  SRG: SRG-OS-000004-GPOS-00004 | Severity: medium |  CCI: CCI-001403,CCI-000172,CCI-000018,CCI-002132,CCI-002130

Vulnerability Discussion

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk.

To address access requirements, many SUSE operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Satisfies: SRG-OS-000004-GPOS-00004, SRG-OS-000239-GPOS-00089, SRG-OS-000240-GPOS-00090, SRG-OS-000241-GPOS-00091, SRG-OS-000303-GPOS-00120, SRG-OS-000476-GPOS-00221

Check

Verify the SUSE operating system generates an audit record when modifications occur to the "/etc/shadow" file.

Check that the following file is being watched by performing the following command on the system rules in "/etc/audit/audit.rules":

# sudo grep /etc/shadow /etc/audit/audit.rules

-w /etc/shadow -p wa -k account_mod

If the command does not return a line, or the line is commented out, this is a finding.

Fix

Configure the SUSE operating system to generate an audit record when all modifications to the "/etc/shadow" file occur.

Add or update the following rule to "/etc/audit/rules.d/audit.rules":

-w /etc/shadow -p wa -k account_mod

The audit daemon must be restarted for any changes to take effect.

# sudo systemctl restart auditd.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.