UCF STIG Viewer Logo

The /etc/security/audit_user file must be group-owned by root, sys, or bin.


Overview

Finding ID Version Rule ID IA Controls Severity
V-227535 GEN000000-SOL00080 SV-227535r603266_rule Medium
Description
The Solaris audit_user file allows for selective auditing or non-auditing of features for certain users. If it is not protected, it could be compromised and used to mask audit events. This could cause the loss of valuable forensics data in the case of a system compromise.
STIG Date
Solaris 10 X86 Security Technical Implementation Guide 2020-12-04

Details

Check Text ( C-29697r488132_chk )
Check /etc/security/audit_user group ownership.

# ls -lL /etc/security/audit_user

If /etc/security/audit_user is not group owned by root, sys, or bin, this is a finding.
Fix Text (F-29685r488133_fix)
Change the group owner of the audit_user file to root, bin, or sys.
Example:
# chgrp root /etc/security/audit_user