4.4 Enable Auditing of Process and Privilege Events

Information

The Solaris Audit service can be configured to record the use of privileges by processes running on the system. This will capture events such as the setting of UID and GID values, setting of privileges, as well as the use of functionality such as chroot(2).

Rationale:

This recommendation will provide an audit trail that contains information related to the use of privileges by processes running on the system. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these.

Solution

To enforce this setting, run the following commands to modify the /etc/security/audit_event file and add the cis audit class to the following audit events:

# awk 'BEGIN{FS=':'; OFS=':'} {if ($2 ~ /AUE_CHROOT|AUE_SETREUID|AUE_SETREGID|AUE_FCHROOT|AUE_PFEXEC|AUE_SETUID|AUE_NICE|AUE_SETGID|AUE_PRIOCNTLSYS|AUE_SETEGID|AUE_SETEUID|AUE_SETPPRIV|AUE_SETSID|AUE_SETPGID/) $4=$4',cis';} {print} ' /etc/security/audit_event > /etc/security/audit_event.CIS

# cp /etc/security/audit_event.CIS /etc/security/audit_event

See Also

https://workbench.cisecurity.org/benchmarks/4777