The operating system must protect audit information from unauthorized deletion.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-47879	SOL-11.1-010460	SV-60751r1_rule		High

Description
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. To ensure the veracity of audit data, the operating system must protect audit information from unauthorized access.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2019-12-18

Details

Check Text ( C-50315r2_chk )
The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the directory storing the audit files is owned by root and has permissions 640 or less. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # ls -ld /var/share/audit Check the audit directory is owned by root, group is root, and permissions are 640 (rw- r-- ---) or less. If the permissions are excessive, this is a finding.

Check Text ( C-50315r2_chk )

The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the directory storing the audit files is owned by root and has permissions 640 or less.

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile

The output will appear in this form:

Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1

The p_dir attribute defines the location of the audit directory.
# ls -ld /var/share/audit

Check the audit directory is owned by root, group is root, and permissions are 640 (rw- r-- ---) or less. If the permissions are excessive, this is a finding.

Fix Text (F-51491r2_fix)
Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile\| The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # chown root [directory] # chgrp root [directory] # chmod 640 [directory]

Fix Text (F-51491r2_fix)

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

The root role is required.

This action applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this action applies.

Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile|

The output will appear in this form:

Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1

The p_dir attribute defines the location of the audit directory.

# chown root [directory]
# chgrp root [directory]
# chmod 640 [directory]