Profile Applicability:
• Level 2
Description:
Modifications to user and group information, such as adding, deleting, or changing accounts and groups, can impact system security and access control. Collecting audit events for these modifications provides visibility into changes and helps detect unauthorized activity.
Rationale:
Auditing user and group modification events supports accountability, enables detection of unauthorized changes, and aids in forensic investigations.
Impact:
Pros:
Provides visibility into critical account and group management activities.
Supports compliance with security policies and regulatory requirements.
Cons:
May generate significant audit data; requires effective log management.
Default Value:
Audit rules for user and group modifications may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check current audit rules for user/group modifications:
auditctl -l | grep user_mod
Verify audit rules exist for syscalls such as useradd, userdel, groupadd, groupdel, or monitoring files like /etc/passwd, /etc/group, /etc/shadow, and /etc/gshadow.
Implementation Plan:
Using Linux command line:
Add audit rules to monitor user and group modifications:
auditctl -w /etc/passwd -p wa -k user_mod auditctl -w /etc/group -p wa -k user_mod auditctl -w /etc/shadow -p wa -k user_mod auditctl -w /etc/gshadow -p wa -k user_mod
Persist audit rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable audit rules for user/group modifications if necessary:
auditctl -W /etc/passwd -p wa -k user_mod auditctl -W /etc/group -p wa -k user_mod auditctl -W /etc/shadow -p wa -k user_mod auditctl -W /etc/gshadow -p wa -k user_mod
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0