The system must log successful and unsuccessful access to the root account.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-11980 | GEN001060 | SV-39850r1_rule | ECAR-2 ECAR-1 ECAR-3 | Medium |
| Description |
|---|
| If successful and unsuccessful logins and logouts are not monitored or recorded, access attempts cannot be tracked. Without this logging, it may be impossible to track unauthorized access to the system. |
| STIG | Date |
|---|---|
| SOLARIS 9 X86 SECURITY TECHNICAL IMPLEMENTATION GUIDE | 2015-10-01 |
Details
| Check Text ( C-28082r1_chk ) |
|---|
| Check the following log files to determine if access to the root account is being logged. Try to su - and enter an incorrect password. # more /var/adm/sulog If root login accounts are not being logged, this is a finding. |
| Fix Text (F-33987r1_fix) |
|---|
| Update /etc/default/su and set SYSLOG=YES. Ensure /etc/syslog.conf is configured to log auth.crit messages to capture all failed su attempts. |