← Back to VMware vRealize Automation 7.x SLES Security Technical Implementation Guide

V-240345

CAT II (Medium)

The SLES for vRealize must audit all account creations.

Rule ID

SV-240345r670776_rule

STIG

VMware vRealize Automation 7.x SLES Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-000018

Discussion

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Check Content

Determine if execution of the useradd and groupadd executable are audited.

# auditctl -l | egrep '(useradd|groupadd)'

If either useradd or groupadd are not listed with a permissions filter of at least "x", this is a finding.

Expected result:
LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd
LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd

Fix Text

Configure execute auditing of the useradd and groupadd executables. Run the dodscript with the following command as root:

# /etc/dodscript.sh

OR

Configure execute auditing of the useradd and groupadd executables.

Add the following to /etc/audit/audit.rules:
-w /usr/sbin/useradd -p x -k useradd
-w /usr/sbin/groupadd -p x -k groupadd

Restart the auditd service:  
# service auditd restart