The SLES for vRealize must audit all account creations.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-239443 | VROM-SL-000015 | SV-239443r661780_rule | Medium |
| Description |
|---|
| Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SLES for vRealize operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements. |
| STIG | Date |
|---|---|
| VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide | 2021-07-01 |
Details
| Check Text ( C-42676r661778_chk ) |
|---|
| Determine if execution of the useradd and groupadd executable are audited. # auditctl -l | egrep '(useradd|groupadd)' If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding. Expected result: LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd |
| Fix Text (F-42635r661779_fix) |
|---|
| Configure execute auditing of the "useradd" and "groupadd" executables run the DoD.script with the following command as root: # /etc/dodscript.sh OR Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to /etc/audit/audit.rules: -w /usr/sbin/useradd -p x -k useradd -w /usr/sbin/groupadd -p x -k groupadd Restart the auditd service. # service auditd restart |