STIGQter STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

The SLES for vRealize must generate audit records for privileged activities or other system-level access.

DISA Rule

SV-99373r1_rule

Vulnerability Number

V-88723

Group Title

SRG-OS-000471-GPOS-00215

Rule Version

VROM-SL-001385

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

At a minimum, the SLES for vRealize audit system should collect the execution of privileged commands for all users and "root". To find the relevant setuid programs:

# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null

Then, for each setuid program on the system, add a line of the following form to "/etc/audit/audit.rules", where [SETUID_PROG_PATH] is the full path to each setuid program in the list:

-a always,exit -F path=[SETUID_PROG_PATH] -F perm=x -F auid>=500 -k privileged

OR

# /etc/dodscript.sh

Check Contents

To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs:

# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null

Run the following command to verify entries in the audit rules for all programs found with the previous command:

# grep path /etc/audit/audit.rules

It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.

Vulnerability Number

V-88723

Documentable

False

Rule Version

VROM-SL-001385

Severity Override Guidance

To verify that auditing of privileged command use is configured, run the following command to find relevant setuid programs:

# find / -xdev -type f -perm -4000 -o -perm -2000 2>/dev/null

Run the following command to verify entries in the audit rules for all programs found with the previous command:

# grep path /etc/audit/audit.rules

It should be the case that all relevant setuid programs have a line in the audit rules. If it is not the case, this is a finding.

Check Content Reference

M

Target Key

3461

Comments