← Back to HYCU Protege Security Technical Implementation Guide

V-268234

CAT II (Medium)

The HYCU virtual appliance must automatically audit account removal actions.

Rule ID

SV-268234r1038654_rule

STIG

HYCU Protege Security Technical Implementation Guide

Version

V1R2

CCIs

CCI-001405

Discussion

Account management, as a whole, ensures access to the network device is being controlled in a secure manner by granting access to only authorized personnel. Auditing account removal actions will support account management procedures. When device management accounts are terminated, user or service accessibility may be affected. Auditing also ensures authorized active accounts remain enabled and available for use when required.

Check Content

Verify the operating system generates audit records for all account removal events.

Check the auditing rules in "/etc/audit/audit.rules" with the following command:
# grep -E "/etc/passwd|/etc/gshadow|/etc/shadow|/etc/security/opasswd|/etc/group|/etc/sudoers|/etc/sudoers.d/" /etc/audit/audit.rules

-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/group -p wa -k identity
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity

If the command does not return all the lines above, or one or more of the lines are commented out, this is a finding.

Fix Text

Log in to the HYCU VM console and load the STIG audit rules by using the following commands:

1. cp /usr/share/audit/sample-rules/10-base-config.rules /usr/share/audit/sample-rules/30-stig.rules /usr/share/audit/sample-rules/31-privileged.rules /usr/share/audit/sample-rules/99-finalize.rules /etc/audit/rules.d/

2. augenrules --load