The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-47827	SOL-11.1-010350	SV-60703r2_rule		Low

Description
Keeping audit records on a remote system reduces the likelihood of audit records being changed or corrupted. Duplicating and protecting the audit trail on a separate system reduces the likelihood of an individual being able to deny performing an action.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2019-12-18

Details

Check Text ( C-50283r1_chk )
Audit Configuration rights profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the syslog audit plugin is enabled. # pfexec auditconfig -getplugin \| grep audit_syslog If "inactive" appears, this is a finding. Determine which system-log service instance is online. # pfexec svcs system-log Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly: # grep audit.notice /etc/syslog.conf or # grep audit.notice /etc/rsyslog.conf If audit.notice @remotesystemname points to an invalid remote system, this is a finding. If no output is produced, this is a finding. Check the remote syslog host to ensure that audit records can be found for this host.

Check Text ( C-50283r1_chk )

Audit Configuration rights profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the syslog audit plugin is enabled.

# pfexec auditconfig -getplugin | grep audit_syslog

If "inactive" appears, this is a finding.

Determine which system-log service instance is online.

# pfexec svcs system-log

Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly:

# grep audit.notice /etc/syslog.conf
or
# grep audit.notice /etc/rsyslog.conf

If audit.notice @remotesystemname
points to an invalid remote system, this is a finding.

If no output is produced, this is a finding.

Check the remote syslog host to ensure that audit records can be found for this host.

Fix Text (F-51447r3_fix)
Service Management, Audit Configuration and Audit Control rights profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Configure Solaris 11 to use the syslog audit plugin # pfexec auditconfig -setplugin audit_syslog active Determine which system-log service instance is online. # pfexec svcs system-log If the default system-log service is online: # pfedit /etc/syslog.conf Add the line: audit.notice @[remotesystemname] Replacing the remote system name with the correct hostname. If the rsyslog service is online, modify the /etc/rsyslog.conf file. # pfedit /etc/rsyslog.conf Add the line: audit.notice @[remotesystemname] Replacing the remote system name with the correct hostname. Create the log file on the remote system # touch /var/adm/auditlog Refresh the syslog service # pfexec svcadm refresh system/system-log:default or # pfexec svcadm refresh system/system-log:rsyslog Refresh the audit service # pfexec audit -s

Fix Text (F-51447r3_fix)

Service Management, Audit Configuration and Audit Control rights profile is required.

This action applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this action applies.

Configure Solaris 11 to use the syslog audit plugin

# pfexec auditconfig -setplugin audit_syslog active

Determine which system-log service instance is online.

# pfexec svcs system-log

If the default system-log service is online:

# pfedit /etc/syslog.conf

Add the line:

audit.notice @[remotesystemname]

Replacing the remote system name with the correct hostname.

If the rsyslog service is online, modify the /etc/rsyslog.conf file.

# pfedit /etc/rsyslog.conf

Add the line:

audit.notice @[remotesystemname]

Replacing the remote system name with the correct hostname.

Create the log file on the remote system

# touch /var/adm/auditlog

Refresh the syslog service

# pfexec svcadm refresh system/system-log:default

or

# pfexec svcadm refresh system/system-log:rsyslog

Refresh the audit service

# pfexec audit -s