Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-240345 | VRAU-SL-000015 | SV-240345r670776_rule | Medium |
Description |
---|
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. |
STIG | Date |
---|---|
VMware vRealize Automation 7.x SLES Security Technical Implementation Guide | 2021-06-24 |
Check Text ( C-43578r670774_chk ) |
---|
Determine if execution of the useradd and groupadd executable are audited. # auditctl -l | egrep '(useradd|groupadd)' If either useradd or groupadd are not listed with a permissions filter of at least "x", this is a finding. Expected result: LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd |
Fix Text (F-43537r670775_fix) |
---|
Configure execute auditing of the useradd and groupadd executables. Run the dodscript with the following command as root: # /etc/dodscript.sh OR Configure execute auditing of the useradd and groupadd executables. Add the following to /etc/audit/audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Restart the auditd service: # service auditd restart |