The /etc/security/audit_user file must not define a different auditing level for specific users.

From SOLARIS 10 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE

Part of GEN000000-SOL00040

Associated with IA controls: ECAR-3, ECAR-2, ECAR-1

Associated with: CCI-000126

SV-4353r2_rule The /etc/security/audit_user file must not define a different auditing level for specific users.

Vulnerability discussion

The audit_user file may be used to selectively audit more, or fewer, auditing features for specific individuals. If used this way it could subject the activity to a lawsuit and could cause the loss of valuable auditing data in the case of a system compromise. If an item is audited for one individual (other than for root and administrative users - who have more auditing features) it must be audited for all.

Check content

Perform: # more /etc/security/audit_user If /etc/security/audit_user has entries other than root, ensure the users defined are audited with the same flags as all users as defined in /etc/security/audit_control file.

Fix text

Edit the audit_user file and remove specific user configurations differing from the global audit settings.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer