---

{{ if .Vars.ubtu24cis_level_2 }}
  {{ if .Vars.ubtu24cis_rule_6_2_3_8 }}
command:
  auditd_identity_cnf:
    title: 6.2.3.8 | Ensure events that modify user/group information are collected | Config
    exec: grep identity /etc/audit/rules.d/*.rules
    exit-status: 0
    stdout:
    - '-w /etc/group -p wa -k identity'
    - '-w /etc/passwd -p wa -k identity'
    - '-w /etc/gshadow -p wa -k identity'
    - '-w /etc/shadow -p wa -k identity'
    - '-w /etc/nsswitch.conf -p wa -k identity'
    - '-w /etc/pam.conf -p wa -k identity'
    - '-w /etc/pam.d -p wa -k identity'
    - '-w /etc/security/opasswd -p wa -k identity'
    meta:
      server: 2
      workstation: 2
      CIS_ID:
      - 6.2.3.8
      CISv8:
      - 8.5
      CISv8_IG1: false
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5:
      - AU-3
  auditd_identity_live:
    title: 6.2.3.8 | Ensure events that modify user/group information are collected | Live
    exec: auditctl -l | grep identity
    exit-status: 0
    stdout:
    - '-w /etc/group -p wa -k identity'
    - '-w /etc/passwd -p wa -k identity'
    - '-w /etc/gshadow -p wa -k identity'
    - '-w /etc/nsswitch.conf -p wa -k identity'
    - '-w /etc/pam.conf -p wa -k identity'
    - '-w /etc/pam.d -p wa -k identity'
    - '-w /etc/shadow -p wa -k identity'
    - '-w /etc/security/opasswd -p wa -k identity'
    meta:
      server: 2
      workstation: 2
      CIS_ID:
      - 6.2.3.8
      CISv8:
      - 8.5
      CISv8_IG1: false
      CISv8_IG2: true
      CISv8_IG3: true
      NIST800-53R5:
      - AU-3
  {{ end }}
{{ end }}