Canmove, confirm
937
edits
Changes
→Auditable Events
** Red Hat Enterprise Linux 4
*** The programs <code>/usr/sbin/useradd</code>, <code>/usr/sbin/usermod</code>, and <code>/usr/sbin/userdel</code> in the shadow-utils package audit the addition or deletion of user accounts. You can verify by doing <code>ldd</code> against the programs and seeing that they are linked to <code>libaudit.so.0</code>. The audit message types are <code>AUDIT_ADD_USER</code> and <code>AUDIT_DEL_USER</code>.
*** FMT_MSA.1 ''All modifications of the values of security attributes'', FMT_MTD.1 User Attributes ''All modifications to the values of TSF data'', and FAU_SMR.1 ''Modifications to the group of users that are part of a role'' are auditable events. (See [http://www.commoncriteriaportal.org/public/files/epfiles/ST_VID10072-ST.pdf Security Target], Table 5-1, page pages 31-32.)
** Trusted Solaris 8: Audit.5 ''The creation, deletion, disabling or enabling of user accounts is auditable''. (See [http://www.commoncriteriaportal.org/public/files/epfiles/TSolaris8_Issue3.1.pdf Security Target], page 55.)
* operations to process audit data stored in the audit trail: these operations are recorded by the audit mechanism of the OS.
