The Sun Ray server does not record log files.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16157	SUN0230	SV-17146r1_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
Logs form a recorded history or audit trail of the Sun Ray server system events, making it easier for system administrators to track down intermittent problems, review past events, and piece together information if an investigation is required. Without this recorded history, potential attacks and suspicious activity will go unnoticed. Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Setting logging at the severity notice should capture most relevant events without requiring unacceptable levels of data storage. The severity levels notice and debug are also available to organizations that require additional logging for certain events or applications.

Description

Logs form a recorded history or audit trail of the Sun Ray server system events, making it easier for system administrators to track down intermittent problems, review past events, and piece together information if an investigation is required. Without this recorded history, potential attacks and suspicious activity will go unnoticed. Logging must be comprehensive to be useful for both intrusion monitoring and security investigations. Setting logging at the severity notice should capture most relevant events without requiring unacceptable levels of data storage. The severity levels notice and debug are also available to organizations that require additional logging for certain events or applications.

STIG	Date
Sun Ray 4 STIG	2015-04-02

Details

Check Text ( C-17194r1_chk )
1. Verify that syslogd is running on the system. Perform the following: # ps –ef \| grep syslogd If nothing is returned, this is a finding. 2. Verify /etc/syslog.conf is configured with the following entries: # cat /etc/syslog.conf User.info /var/opt/SUNWut/log/messages Local1.info /var/opt/SUNWut/log/admin_log If these two entries are missing, this is a finding. 3. Critical Sun Ray log files are the administration, authentication, automatic mounting, mass storage devices, messages, and web administration. Significant activity is recorded in the following log files. Verify that these files are being written to by performing the following: # ls -Ll /var/opt/SUNWut/log \| awk ‘{if ($5 ~ /^0$/ print}’ If any of the following log files are returned this is a finding. admin_log auth_log utmountd.log utstoraged.log messages utwebadmin.log Example of log file with zero byte (0) size. (i.e. –rw-r----- 1 root utadmin 0 Jun 29 utmountd.log) If these logs are being written to an external syslog server, review that server to ensure the logs are being recorded.

Check Text ( C-17194r1_chk )

1. Verify that syslogd is running on the system. Perform the following:
# ps –ef | grep syslogd

If nothing is returned, this is a finding.

2. Verify /etc/syslog.conf is configured with the following entries:
# cat /etc/syslog.conf
User.info /var/opt/SUNWut/log/messages
Local1.info /var/opt/SUNWut/log/admin_log

If these two entries are missing, this is a finding.

3. Critical Sun Ray log files are the administration, authentication, automatic mounting, mass storage devices, messages, and web administration. Significant activity is recorded in the following log files. Verify that these files are being written to by performing the following:

# ls -Ll /var/opt/SUNWut/log | awk ‘{if ($5 ~ /^0$/ print}’

If any of the following log files are returned this is a finding.
admin_log
auth_log
utmountd.log
utstoraged.log
messages
utwebadmin.log

Example of log file with zero byte (0) size.
(i.e. –rw-r----- 1 root utadmin 0 Jun 29 utmountd.log)

If these logs are being written to an external syslog server, review that server to ensure the logs are being recorded.

Fix Text (F-16262r1_fix)
Record Sun Ray server activity to log files.