The SLES for vRealize must audit all account modifications.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-89741	VRAU-SL-000870	SV-100391r1_rule		Medium

Description
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Description

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

STIG	Date
VMware vRealize Automation 7.x SLES Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-89433r2_chk )
Determine if execution of the usermod and groupmod executable are audited. # auditctl -l \| egrep '(usermod\|groupmod)' \| grep perm=x If either usermod or groupmod are not listed with a permissions filter of at least 'x', this is a finding.

Fix Text (F-96483r1_fix)
Configure execute auditing of the usermod and groupmod executables run the dodscript with the following command as root: # /etc/dodscript.sh OR.... Configure execute auditing of the usermod and groupmod executables. Add the following to the audit.rules file: -w /usr/sbin/usermod -p x -k usermod -w /usr/sbin/groupmod -p x -k groupmod Restart the auditd service. # service auditd restart