4.3 Enable Auditing of File Metadata Modification Events - AUE_FCHOWN : cis

Information

The Solaris Audit service can be configured to record file metadata modification events for
every process running on the system. This will allow the auditing service to determine
when file ownership, permissions and related information is changed.

This recommendation will provide an audit trail that contains information related to
changes of file metadata. The Solaris Audit service is used to provide a more centralized
and complete window into activities such as these.

Solution

To enforce this setting, edit the /etc/security/audit_event file and add the cis audit class to
the following audit events-AUE_CHMOD
AUE_CHOWN
AUE_FCHOWN
AUE_FCHMOD
AUE_LCHOWN
AUE_ACLSET
AUE_FACLSET

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: 217fd6b0dc6d79771ef363f782c4b2cdedfcb76e04f934127f46127239ba77e6