From Solaris 11 SPARC Security Technical Implementation Guide
Part of SRG-OS-999999
Associated with: CCI-000366
Editing a system file with common tools such as vi, emacs, or gedit does not allow the auditing of changes made by an operator. This reduces the capability of determining which operator made security-relevant changes to the system.
Ask the operators if they use vi, emacs, or gedit to make changes to system files. If vi, emacs, or gedit are used to make changes to system files, this is a finding.
Advise the operators to use pdfedit or other appropriate command line tools to make system changes instead of vi, emacs, or gedit. Oracle Solaris includes administrative configuration files which use pfedit, and the solaris.admin.edit/path_to_file authorization is not recommended. Alternate commands exist which are both domain-specific and safer. For example, for the /etc/passwd, /etc/shadow, or /etc/user_attr files, use instead passwd, useradd, userdel, or usermod. For the /etc/group file, use instead groupadd, groupdel, or groupmod. For updating /etc/security/auth_attr, /etc/security/exec_attr, or /etc/security/prof_attr, the preferred command is profiles.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer