← Back to VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

V-239443

CAT II (Medium)

The SLES for vRealize must audit all account creations.

Rule ID

SV-239443r661780_rule

STIG

VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-000018

Discussion

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply create a new account. Auditing of account creation mitigates this risk. To address access requirements, many SLES for vRealize operating systems may be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Check Content

Determine if execution of the useradd and groupadd executable are audited.

# auditctl -l | egrep '(useradd|groupadd)'

If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.

Expected result:
LIST_RULES: exit,always watch=/usr/sbin/useradd perm=x key=useradd
LIST_RULES: exit,always watch=/usr/sbin/groupadd perm=x key=groupadd

Fix Text

Configure execute auditing of the "useradd" and "groupadd" executables run the DoD.script with the following command as root:

# /etc/dodscript.sh

OR

Configure execute auditing of the "useradd" and "groupadd" executables. 

Add the following to /etc/audit/audit.rules:
-w /usr/sbin/useradd -p x -k useradd
-w /usr/sbin/groupadd -p x -k groupadd

Restart the auditd service. 

# service auditd restart