This recommendation implements a local syslog configuration. Rationale: Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date. Impact: This recommendation is manual because there are likely local requirements that surpass the basic recommendation here. NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Explicitly define a log file for the auth.info output in /etc/syslog.conf: printf 'auth.infott/var/adm/authlog rotate time 1w files 4 ' >> /etc/syslog.conf NOTE: This ensures that remote login, sudo or su attempts are logged separately Create the authlog file and make it readable by root only: touch /var/adm/authlog chown root:system /var/adm/authlog chmod u=rw,go= /var/adm/authlog Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog: printf '*.info;auth.nonet/var/adm/syslog rotate time 1w files 4 ' >> /etc/syslog.conf Create the syslog file: touch /var/adm/syslog chmod u=rw,g=r,o= /var/adm/syslog Refresh syslogd to force the daemon to read the edited /etc/syslog.conf: refresh -s syslogd Default Value: Not configured Additional Information: Reversion: Edit /etc/syslog.conf and remove the authlog and syslog entries: vi /etc/syslog.conf Remove: auth.info /var/adm/authlog rotate time 1w files 4 *.info;auth.none /var/adm/syslog rotate time 1w files 4 Refresh syslogd to force the daemon to read the edited /etc/syslog.conf: refresh -s syslogd Delete the authlog and syslog files: rm /var/adm/authlog /var/adm/syslog