iCompaas Support

Profile Applicability:
 • Level 2

Description:
The usermod command modifies user account properties. Recording both successful and unsuccessful attempts to use usermod is critical to detect unauthorized changes to user accounts and maintain system security.

Rationale:
 Auditing all executions of the usermod command supports accountability and helps identify potential misuse or malicious activity.

Impact:
 Pros:

• Provides visibility into user account modifications.
  

• Supports forensic analysis and compliance.
  

Cons:

• May increase audit log volume; requires effective log management.
  

Default Value:
 Audit of usermod command usage is typically not enabled by default.

Pre-requisites:

Root or sudo privileges to configure audit rules.

Remediation:

Test Plan:

Using Linux command line:

Check current audit rules for usermod:

auditctl -l | grep usermod

Verify audit rules exist for tracking executions of usermod.

Implementation Plan:

Using Linux command line:

Add audit rules to log execution of usermod:

auditctl -w /usr/sbin/usermod -p x -k usermod-change

Persist audit rules by adding the above line to /etc/audit/rules.d/audit.rules.

Backout Plan:

Using Linux command line:

Remove or disable the usermod audit rule if necessary:

auditctl -W /usr/sbin/usermod -p x -k usermod-change

Reload audit daemon configuration.

References:

• CIS Amazon Linux 2 Benchmark v3.0.0
  

• Linux Audit Framework
  NIST SP 800-53 Revision 5 - AU-6