PHTN-67-000001 - The Photon operating system must audit all account creations - useradd

Information

Once an attacker establishes access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to create an account. Auditing account creation actions provides logging that can be used for forensic purposes.

Solution

Open /etc/audit/rules.d/audit.STIG.rules with a text editor and add the following lines:

-w /usr/sbin/useradd -p x -k useradd
-w /usr/sbin/groupadd -p x -k groupadd

At the command line, execute the following command:

# /sbin/augenrules --load

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_VMW_vSphere_6-7_Y23M07_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-2(4), CAT|II, CCI|CCI-000018, Rule-ID|SV-239073r816595_rule, STIG-ID|PHTN-67-000001, Vuln-ID|V-239073

Plugin: Unix

Control ID: 5022a29b485f466b2c045e5b5e88a2167e2a147b09df515e131816c8a5f61a24