The Sun Ray audit logs are not retained for a minimum of one year.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-16159	SUN0260	SV-17148r1_rule	ECAR-1 ECAR-2 ECAR-3	Medium

Description
Storing log files for at least a year provides a way to recover these files in case an investigation is necessary. Typically these files are stored offline on tape media or external networks. Log files enable the enforcement of individual accountability by creating a reconstruction of events. They also assist in problem identification that may lead to problem resolution. If these log files are not retained, there is no way to trace or reconstruct the events, and if it was discovered the network was hacked, there would be no way to trace the full extent of the compromise. The Sun Ray audit logs should be appropriately backed-up and stored in order for them to be examined at a future time. If audit logs are unavailable to be viewed at a later time, system compromises and/or attacks will not be traceable. Therefore, Sun Ray audit logs will retained for a minimum of 1 year.

Description

Storing log files for at least a year provides a way to recover these files in case an investigation is necessary. Typically these files are stored offline on tape media or external networks. Log files enable the enforcement of individual accountability by creating a reconstruction of events. They also assist in problem identification that may lead to problem resolution. If these log files are not retained, there is no way to trace or reconstruct the events, and if it was discovered the network was hacked, there would be no way to trace the full extent of the compromise. The Sun Ray audit logs should be appropriately backed-up and stored in order for them to be examined at a future time. If audit logs are unavailable to be viewed at a later time, system compromises and/or attacks will not be traceable. Therefore, Sun Ray audit logs will retained for a minimum of 1 year.

STIG	Date
Sun Ray 4 STIG	2015-04-02

Details

Check Text ( C-17196r1_chk )
Ask the IAO/SA where the Sun Ray system audit logs are stored. If they are offsite, review the process to move them to the alternative site. Verify that the audit data is retained for a minimum of one year by reviewing the dates of the oldest backup files or media. Audit data that should be retained include the following files on the Sun Ray server: (These files maybe at a different location for a remote syslog server.) /var/opt/SUNWut/log/admin_log /var/opt/SUNWut/log/auth_log /var/opt/SUNWut/log/utmountd.log /var/opt/SUNWut/log/utstoraged.log /var/opt/SUNWut/log/messages /var/opt/SUNWut/log/utwebadmin.log

Check Text ( C-17196r1_chk )

Ask the IAO/SA where the Sun Ray system audit logs are stored. If they are offsite, review the process to move them to the alternative site. Verify that the audit data is retained for a minimum of one year by reviewing the dates of the oldest backup files or media. Audit data that should be retained include the following files on the Sun Ray server: (These files maybe at a different location for a remote syslog server.)

/var/opt/SUNWut/log/admin_log
/var/opt/SUNWut/log/auth_log
/var/opt/SUNWut/log/utmountd.log
/var/opt/SUNWut/log/utstoraged.log
/var/opt/SUNWut/log/messages
/var/opt/SUNWut/log/utwebadmin.log

Fix Text (F-16264r1_fix)
Retain all audit data for a minimum of one year.