Verify User Permission Modifications on Host
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Security recommendation
| Impact | Remediation complexity | Severity | Recommended value |
|---|
| 4 | 2 | 4 | Monitor and investigate all user access removal activities |
User permission modifications should be monitored and investigated to detect potential impact events, unauthorized account manipulation, or attempts to disrupt system operations. User permission modifications should align with organizational offboarding and access management policies.
Compliance
Documentation
User permission modifications activities involve deleting user accounts or disabling user access through account locking, expiration, or inactivation. This detection monitors two primary methods of user access removal:
- User account deletion: Complete removal of user accounts from the system using commands like
userdel - Account locking/disabling: Using
passwd command with flags to lock (-l), expire (-e), or inactivate (-i) user accounts
Prerequisites
You must have:
root or sudo privileges to investigate user permission modifications- Access to system audit logs and authentication logs
- Knowledge of authorized user management procedures
- User account backup, or directory service access, for recovery
- Agent v7.27 or newer for Workload Security monitoring
Step-by-step guide
Step 1: Investigate the user access removal
Identify what user access was removed, by whom, and when:
# Check authentication logs for user deletion or account locking
sudo grep -E "userdel|passwd.*-l|passwd.*-e|passwd.*-i" /var/log/auth.log | tail -20
# Review audit logs for user management activities
sudo ausearch -m USER_MGMT -ts recent
sudo ausearch -m DEL_USER -ts recent
# Check for account status changes
sudo grep "account" /var/log/secure | tail -20
# Review command history for the administrator who made changes
sudo cat /root/.bash_history | grep -E "userdel|passwd"
Step 2: Verify authorization
Determine if the user access removal was authorized:
- Verify with HR or management for employee offboarding
- Review change management tickets or approval records
- Check if the removal aligns with access review or security policies
- Contact the administrator who performed the removal
