UCF STIG Viewer Logo

The SLES for vRealize must audit all account creations.


Finding ID Version Rule ID IA Controls Severity
V-240345 VRAU-SL-000015 SV-240345r670776_rule Medium
Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.
VMware vRealize Automation 7.x SLES Security Technical Implementation Guide 2023-09-22


Check Text ( C-43578r670774_chk )
Determine if execution of the useradd and groupadd executable are audited.

# auditctl -l | egrep '(useradd|groupadd)'

If either useradd or groupadd are not listed with a permissions filter of at least "x", this is a finding.

Expected result:
LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd
LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd
Fix Text (F-43537r670775_fix)
Configure execute auditing of the useradd and groupadd executables. Run the dodscript with the following command as root:

# /etc/dodscript.sh


Configure execute auditing of the useradd and groupadd executables.

Add the following to /etc/audit/audit.rules:
-w /usr/sbin/useradd -p x -k useradd
-w /usr/sbin/groupadd -p x -k groupadd

Restart the auditd service:
# service auditd restart