4.4 Enable Auditing of Process and Privilege Events - AUE_SETEGID


The Solaris Audit service can be configured to record the use of privileges by processes
running on the system. This will capture events such as the setting of UID and GID values,
setting of privileges, as well as the use of functionality such as chroot(2).


This recommendation will provide an audit trail that contains information related to the
use of privileges by processes running on the system. The Solaris Audit service is used to
provide a more centralized and complete window into activities such as these.


To enforce this setting, use the commands to modify the /etc/security/audit_event file
and add the cis audit class to the following audit events:

# awk 'BEGIN{FS=":"; OFS=":"} {if ($2 ~
D|AUE_SETPGID/) $4=$4",cis";} {print} ' /etc/security/audit_event >

# cp /etc/security/audit_event.CIS /etc/security/audit_event

See Also
