The Photon operating system must generate audit records for all access and modifications to the opasswd file.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-258899 | SRG-OS-000480-GPOS-00227 | PHTN-40-000238 | SV-258899r991589_rule | 2024-07-11 | 2 |
| Description |
|---|
| Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. |
| ℹ️ Check |
|---|
| At the command line, run the following command to verify an audit rule exists to audit the opasswd file: # auditctl -l | grep -E /etc/security/opasswd Expected result: -w /etc/security/opasswd -p wa -k opasswd If the opasswd file is not monitored for access or writes, this is a finding. Note: This check depends on the "auditd" service to be in a running state for accurate results. The "auditd" service is enabled in control PHTN-40-000016. |
| ✔️ Fix |
|---|
| Navigate to and open: /etc/audit/rules.d/audit.STIG.rules Add or update the following lines: -w /etc/security/opasswd -p wa -k opasswd At the command line, run the following command to load the new audit rules: # /sbin/augenrules --load Note: An "audit.STIG.rules" file is provided with this guidance for placement in "/etc/audit/rules.d" that contains all rules needed for auditd. Note: An older "audit.STIG.rules" may exist and may reference older "GEN" SRG IDs. This file can be removed and replaced as necessary with an updated one. |