Check: GEN000000-SOL00040
Solaris 9 X86 STIG:
GEN000000-SOL00040
(in version v1 r9)
Title
The /etc/security/audit_user file must not define a different auditing level for specific users. (Cat II impact)
Discussion
The audit_user file may be used to selectively audit more, or fewer, auditing features for specific individuals. If used this way it could subject the activity to a lawsuit and could cause the loss of valuable auditing data in the case of a system compromise. If an item is audited for one individual (other than for root and administrative users - who have more auditing features) it must be audited for all.
Check Content
Perform: # more /etc/security/audit_user If /etc/security/audit_user has entries other than root, ensure the users defined are audited with the same flags as all users as defined in /etc/security/audit_control file.
Fix Text
Edit the audit_user file and remove specific user configurations differing from the global audit settings.
Additional Identifiers
Rule ID: SV-4353r2_rule
Vulnerability ID: V-4353
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000126 |
Specify the organization-defined event types (subset of the event types defined in AU-2a) along with the frequency of (or situation requiring logging for each identified event type. |
Controls
| Number | Title |
|---|---|
| AU-2 |
Audit Events |