The operating system must shut down by default upon audit failure (unless availability is an overriding concern).

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-216041	SOL-11.1-010420	SV-216041r603268_rule		Medium

Description
Continuing to operate a system without auditing working properly can result in undocumented access or system changes.

STIG	Date
Solaris 11 X86 Security Technical Implementation Guide	2021-11-23

Details

Check Text ( C-17279r372505_chk )
The Audit Configuration profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. # pfexec auditconfig -getpolicy \| grep ahlt If the output does not include "ahlt" as an active audit policy, this is a finding. # pfexec auditconfig -getpolicy \| grep active \| grep cnt If the output includes "cnt" as an active audit policy, this is a finding.

Check Text ( C-17279r372505_chk )

The Audit Configuration profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

# pfexec auditconfig -getpolicy | grep ahlt

If the output does not include "ahlt" as an active audit policy, this is a finding.

# pfexec auditconfig -getpolicy | grep active | grep cnt

If the output includes "cnt" as an active audit policy, this is a finding.

Fix Text (F-17277r372506_fix)
The Audit Configuration profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Set audit policy to halt and suspend on failure. # pfexec auditconfig -setpolicy +ahlt # pfexec auditconfig -setpolicy -cnt