Title

The /etc/security/audit_user file must not define a different auditing level for specific users. (Cat II impact)

Discussion

The audit_user file may be used to selectively audit more, or fewer, auditing features for specific individuals. If used this way it could subject the activity to a lawsuit and could cause the loss of valuable auditing data in the case of a system compromise. If an item is audited for one individual (other than for root and administrative users - who have more auditing features) it must be audited for all.

Check Content

Perform: # more /etc/security/audit_user If /etc/security/audit_user has entries other than root, ensure the users defined are audited with the same flags as all users as defined in /etc/security/audit_control file.

Fix Text

Edit the audit_user file and remove specific user configurations differing from the global audit settings.

Additional Identifiers

Rule ID: SV-226406r603265_rule

Vulnerability ID: V-226406

Group Title: SRG-OS-000470

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.