Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information.At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise. Unix_update is a helper program for the pam_unix module that updates the password for a given user. It is not intended to be run directly from the command line and logs a security violation in that event.When a user logs on, the AUID is set to the UID of the account that is being authenticated. Daemons are not user sessions and have the loginuid set to -1. The AUID representation is an unsigned 32-bit integer, which equals 4294967295. The audit system interprets -1, 4294967295, and unset in the same way. Fixtext: Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-unix-update

[Yes/No]

Add or update the following rules in the "/etc/audit/audit.rules" file: -a always,exit -F path=/sbin/unix_update -F perm=x -F auid =1000 -F auid!=4294967295 -k privileged-unix-update