The /etc/security/audit_user file must be group-owned by root, sys, or bin.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-4351 | GEN000000-SOL00080 | SV-4351r2_rule | ECLP-1 | Medium |
| Description |
|---|
| The Solaris audit_user file allows for selective auditing or non-auditing of features for certain users. If it is not protected, it could be compromised and used to mask audit events. This could cause the loss of valuable forensics data in the case of a system compromise. |
| STIG | Date |
|---|---|
| SOLARIS 9 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE | 2015-10-01 |
Details
| Check Text ( C-8283r2_chk ) |
|---|
| Check /etc/security/audit_user group ownership. # ls -lL /etc/security/audit_user If /etc/security/audit_user is not group owned by root, sys, or bin, this is a finding. |
| Fix Text (F-4262r2_fix) |
|---|
| Change the group owner of the audit_user file to root, bin, or sys. Example: # chgrp root /etc/security/audit_user |