STIGQter STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018: The SLES for vRealize must notify System Administrators and Information System Security Officers when accounts are created, or enabled when previously disabled.

DISA Rule

SV-99309r1_rule

Vulnerability Number

V-88659

Group Title

SRG-OS-000304-GPOS-00121

Rule Version

VROM-SL-000975

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure execute auditing of the "usermod" and "groupmod" executables. Add the following to the "/etc/audit/audit.rules" file:

-w /usr/sbin/usermod -p x -k usermod
-w /usr/sbin/groupmod -p x -k groupmod

Configure execute auditing of the "userdel" and "groupdel" executables. Add the following to the "/etc/audit/audit.rules" file:

-w /usr/sbin/userdel -p x -k userdel
-w /usr/sbin/groupdel -p x -k groupdel

Configure execute auditing of the "useradd" and "groupadd" executables. Add the following to audit.rules:

-w /usr/sbin/useradd -p x -k useradd
-w /usr/sbin/groupadd -p x -k groupadd

Configure execute auditing of the "passwd" executable. Add the following to the aud.rules:

-w /usr/bin/passwd -p x -k passwd

Configure write auditing of the "passwd", "shadow", "group", and "opasswd" files. Add the following to the "/etc/audit/audit.rules" file:

-w /etc/passwd -p wa -k passwd
-w /etc/shadow -p wa -k shadow
-w /etc/group -p wa -k group
-w /etc/security/opasswd -p wa -k opasswd

Restart the auditd service:

# service auditd restart

Check Contents

Determine if execution of the "usermod" and "groupmod" executable are audited:

# auditctl -l | egrep '(usermod|groupmod)'

If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.

Determine if execution of the "userdel" and "groupdel" executable are audited:

# auditctl -l | egrep '(userdel|groupdel)'

If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.

Determine if execution of "useradd" and "groupadd" are audited:

# auditctl -l | egrep '(useradd|groupadd)'

If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.

Determine if execution of the "passwd" executable is audited:

# auditctl -l | grep "/usr/bin/passwd"

If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.

Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing:

# auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)'

If any of these are not listed with a permissions filter of at least "w", this is a finding.

Vulnerability Number

V-88659

Documentable

False

Rule Version

VROM-SL-000975

Severity Override Guidance

Determine if execution of the "usermod" and "groupmod" executable are audited:

# auditctl -l | egrep '(usermod|groupmod)'

If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.

Determine if execution of the "userdel" and "groupdel" executable are audited:

# auditctl -l | egrep '(userdel|groupdel)'

If either "userdel" or "groupdel" are not listed with a permissions filter of at least "x", this is a finding.

Determine if execution of "useradd" and "groupadd" are audited:

# auditctl -l | egrep '(useradd|groupadd)'

If either "useradd" or "groupadd" are not listed with a permissions filter of at least "x", this is a finding.

Determine if execution of the "passwd" executable is audited:

# auditctl -l | grep "/usr/bin/passwd"

If "/usr/bin/passwd" is not listed with a permissions filter of at least "x", this is a finding.

Determine if "/etc/passwd", "/etc/shadow", "/etc/group", and "/etc/security/opasswd" are audited for writing:

# auditctl -l | egrep '(/etc/passwd|/etc/shadow|/etc/group|/etc/security/opasswd)'

If any of these are not listed with a permissions filter of at least "w", this is a finding.

Check Content Reference

M

Target Key

3461

Comments