{"description": "\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w /etc/pam.conf -p wa -k audit_rules_usergroup_modification</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w /etc/pam.conf -p wa -k audit_rules_usergroup_modification</pre>", "rationale": "The PAM configuration file defines the authentication mechanism\nused by PAM-aware applications. Any unexpected changes to PAM configuration\nshould be investigated.", "severity": "medium", "references": {"cis": ["6.3.3.8"]}, "control_references": {"cis": ["6.3.3.8"]}, "components": [], "identifiers": {}, "ocil_clause": null, "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/etc/pam.conf\" with the following command:\n\n$ sudo auditctl -l | grep /etc/pam.conf\n\n-w /etc/pam.conf -p wa -k audit_rules_usergroup_modification", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to generate audit records for all account creations, modifications, disabling, and termination events that <tt>\"/etc/pam.conf\"</tt>.\nAdd or update the following file system rule to <tt>\"/etc/audit/rules.d/audit.rules\"</tt>:\n-w /etc/pam.conf -p wa -k audit_rules_usergroup_modification\n\nThe audit daemon must be restarted for the changes to take effect. ", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Events that Modify User/Group Information - /etc/pam.conf", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_usergroup_modification_pam_conf/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/etc/pam.conf", "key": "audit_rules_usergroup_modification"}, "backends": {}}}