The CA API Gateway must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.

An XCCDF Rule

Description

<VulnDiscussion>Once an attacker establishes initial access to a system, the attacker often attempts to create a persistent method of reestablishing access. One way to accomplish this is for the attacker to simply enable a new or disabled account. Notification of account enabling is one method for mitigating this risk. A comprehensive account management process will ensure an audit trail which documents the creation of application user accounts and notifies SAs and ISSMs. Such a process greatly reduces the risk that accounts will be surreptitiously enabled and provides logging that can be used for forensic purposes. In order to detect and respond to events that affect network administrator accessibility and device processing, network devices must audit account enabling actions and, as required, notify the appropriate individuals so they can investigate the event.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-86163r1_rule
Severity: Medium
References: CCI-002132
Updated: about 1 year ago

Install and configure (setup SNMP trap dest/authentication) alerter script in /usr/local/bin/alerter. 

Run "/usr/local/bin/alerter -w" to write initial config to filesystem. 

Configure cron to run "/usr/local/bin/alerter -c" every minute.
An example follows. The SNMP destination host and username/password are configured by editing the shell variables near the beginning of the script. SNMPUSER should be set to the username recognized by the SNMP Management Station. SNMPENGINEID should be set to the SNMPv3 EngineID the Management Station uses for this application. SNMPHOST should be set to the hostname of the SNMP Management Station. 

This authentication configuration is placed in "/etc/snmp/snmp.conf":
-----------------------------------

defSecurityLevel authPriv
defAuthType SHA
defPrivType AES
defAuthPassphrase {password123}
defPrivPassphrase {password123}
-----------------------------------

This snmp alerter script is placed in "/usr/local/bin/alerter script":
--------

#!/bin/bash

This script implements watching for changes in a system that may indicate unauthorized changes have been made to the system. It is designed to be run as "alerter -w" to capture the current configuration and then to be run out of cron on a regular basis as "alerter -c", which then compares the current configuration to the previously captured configuration. 

If the configuration has changed, an SNMP TRAP is sent using the "SNMPBASECMD" variable as the base "snmptrap" command. 
# SNMPBASECMD will have to be configured appropriately depending on the exact SNMPv3 security
# implemented on the SNMP Management Server.
#
# The script uses "/var/run/alerter" as a base directory to capture filesystem timestamps and
# the installed RPM software list.

SNMPUSER=myuser
SNMPENGINEID=0x0102030405
SNMPHOST=rsbfreebsd.ca.com

SNMPENTNUM="1.3.6.1.4.1.17304"
SNMPNOTIF=".7.3.128"
SNMPBASECMD="snmptrap -v 3 -n \"\"  -u ${SNMPUSER} -e ${SNMPENGINEID} ${SNMPHOST} 0 ${SNMPENTNUM}.7.3.128.0 ${SNMPENTNUM}.7.3.129.0 s"

ALERTER_ROOT=/var/run/alerter

ACCOUNTFILES=("/etc/passwd" "/etc/shadow" "/etc/group")

TSFILE=timestamps
RPMFILE=rpmlist

function usage {
  echo "$0 [-w | -c]"
  echo "   -w - Write data"
  echo "   -c - Compare current to data"
  echo " (at least one must be selected)"
  echo
}

function writeTsSummary {
  for file in ${ACCOUNTFILES[*]} 
  do
    ts=$(stat -c '%Y' $file)
    echo $file $ts >> $ALERTER_ROOT/$TSFILE
  done
}

function writeRpmSummary {
  rpm -qa >> $ALERTER_ROOT/$RPMFILE
}

function writeSummaries {

  if [ ! -d $ALERTER_ROOT ]
  then
    mkdir $ALERTER_ROOT
  fi

  rm -f $ALERTER_ROOT/$TSFILE $ALERTER_ROOT/$RPMFILE

  writeTsSummary
  writeRpmSummary
}

The CA API Gateway must notify System Administrators (SAs) and Information System Security Officers (ISSMs) when accounts are created, or enabled when previously disabled.

Description

Remediation - Manual Procedure