Information
The Solaris Audit service can be configured to record file metadata modification events for every process running on the system. This will allow the auditing service to determine when file ownership, permissions and related information is changed.
Rationale:
This recommendation will provide an audit trail that contains information related to changes of file metadata. The Solaris Audit service is used to provide a more centralized and complete window into activities such as these.
Solution
To enforce this setting, run the following commands to modify the /etc/security/audit_event file and add the cis audit class to the following audit events:
# awk 'BEGIN{FS=':'; OFS=':'} {if ($2 ~ /AUE_CHMOD|AUE_CHOWN|AUE_FCHOWN|AUE_FCHMOD|AUE_LCHOWN|AUE_ACLSET|AUE_FACLSET/) $4=$4',cis';} {print} ' /etc/security/audit_event > /etc/security/audit_event.CIS
# cp /etc/security/audit_event.CIS /etc/security/audit_event