← Back to VMware vRealize Automation 7.x SLES Security Technical Implementation Guide

V-240482

CAT II (Medium)

The SLES for vRealize must audit all account modifications.

Rule ID

SV-240482r671187_rule

STIG

VMware vRealize Automation 7.x SLES Security Technical Implementation Guide

Version

V2R2

CCIs

CCI-001403

Discussion

Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply modify an existing account. Auditing of account modification is one method for mitigating this risk. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Check Content

Determine if execution of the usermod and groupmod executable are audited.

# auditctl -l | egrep '(usermod|groupmod)' | grep perm=x

If either usermod or groupmod are not listed with a permissions filter of at least 'x', this is a finding.

Fix Text

Configure execute auditing of the usermod and groupmod executables run the dodscript with the following command as root:

# /etc/dodscript.sh

OR....

Configure execute auditing of the usermod and groupmod executables. Add the following to the audit.rules file:
-w /usr/sbin/usermod -p x -k usermod
-w /usr/sbin/groupmod -p x -k groupmod

Restart the auditd service.   
# service auditd restart