UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The /etc/security/audit_user file must be group-owned by root, sys, or bin.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4351 GEN000000-SOL00080 SV-4351r2_rule ECLP-1 Medium
Description
The Solaris audit_user file allows for selective auditing or non-auditing of features for certain users. If it is not protected, it could be compromised and used to mask audit events. This could cause the loss of valuable forensics data in the case of a system compromise.
STIG Date
SOLARIS 10 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE 2018-04-10

Details

Check Text ( C-8283r2_chk )
Check /etc/security/audit_user group ownership.

# ls -lL /etc/security/audit_user

If /etc/security/audit_user is not group owned by root, sys, or bin, this is a finding.
Fix Text (F-4262r2_fix)
Change the group owner of the audit_user file to root, bin, or sys.
Example:
# chgrp root /etc/security/audit_user