4.4 Enable Auditing of Process and Privilege Events - AUE_SETEUID : cis

Information

The Solaris Audit service can be configured to record the use of privileges by processes
running on the system. This will capture events such as the setting of UID and GID values,
setting of privileges, as well as the use of functionality such as chroot(2).

This recommendation will provide an audit trail that contains information related to the
use of privileges by processes running on the system. The Solaris Audit service is used to
provide a more centralized and complete window into activities such as these.

Solution

To enforce this setting, edit the /etc/security/audit_event file and add the cis audit
class to the following audit events-AUE_CHROOT
AUE_SETREUID
AUE_SETREGID
AUE_FCHROOT
AUE_PFEXEC
AUE_SETUID
AUE_NICE
AUE_SETGID
AUE_PRIOCNTLSYS
AUE_SETEGID
AUE_SETEUID
AUE_SETPPRIV
AUE_SETSID
AUE_SETPGID

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: b9bec5f1c306bf6a6d482aee79e14d26757735d33ed3df2a2ca15f9ee3b684a9