Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-47827 | SOL-11.1-010350 | SV-60703r2_rule | Low |
Description |
---|
Keeping audit records on a remote system reduces the likelihood of audit records being changed or corrupted. Duplicating and protecting the audit trail on a separate system reduces the likelihood of an individual being able to deny performing an action. |
STIG | Date |
---|---|
Solaris 11 SPARC Security Technical Implementation Guide | 2019-09-23 |
Check Text ( C-50283r1_chk ) |
---|
Audit Configuration rights profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the syslog audit plugin is enabled. # pfexec auditconfig -getplugin | grep audit_syslog If "inactive" appears, this is a finding. Determine which system-log service instance is online. # pfexec svcs system-log Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly: # grep audit.notice /etc/syslog.conf or # grep audit.notice /etc/rsyslog.conf If audit.notice @remotesystemname points to an invalid remote system, this is a finding. If no output is produced, this is a finding. Check the remote syslog host to ensure that audit records can be found for this host. |
Fix Text (F-51447r3_fix) |
---|
Service Management, Audit Configuration and Audit Control rights profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Configure Solaris 11 to use the syslog audit plugin # pfexec auditconfig -setplugin audit_syslog active Determine which system-log service instance is online. # pfexec svcs system-log If the default system-log service is online: # pfedit /etc/syslog.conf Add the line: audit.notice @[remotesystemname] Replacing the remote system name with the correct hostname. If the rsyslog service is online, modify the /etc/rsyslog.conf file. # pfedit /etc/rsyslog.conf Add the line: audit.notice @[remotesystemname] Replacing the remote system name with the correct hostname. Create the log file on the remote system # touch /var/adm/auditlog Refresh the syslog service # pfexec svcadm refresh system/system-log:default or # pfexec svcadm refresh system/system-log:rsyslog Refresh the audit service # pfexec audit -s |