V-227537 - Solaris 10 X86 Security Technical Implementation Guide

Back to Solaris 10 X86 Security Technical Implementation Guide

The /etc/security/audit_user file must not have an extended ACL.

Severity: Medium

Description

<VulnDiscussion>Audit_user is a sensitive file that, if compromised, would allow a malicious user to select auditing parameters to ignore their sessions. This would allow malicious operations the auditing subsystem would not detect for that user. It could also result in long-term system compromise possibly leading to the compromise of other systems and networks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

Check

Check the permissions of the file. # ls -lL /etc/security/audit_user If the permissions of the file contain a "+", an extended ACL is present, this is a finding.

Fix

Remove the extended ACL from the file. # chmod A- /etc/security/audit_user