Detections
Analytics
GEN002870 - The system must be configured to send audit records to a remote audit server - NFS
Information
Audit records contain evidence that can be used in the investigation of compromised systems. To prevent this evidence from compromise, it must be sent to a separate system continuously. Methods for sending audit records include, but are not limited to, system audit tools used to send logs directly to another host or through the system's syslog service to another host.NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Update the /etc/security/audit_control file to save audit records to a remote NFS mount.dir:<remote NFS directory>
OR
If the /usr/lib/security/audit_syslog.so* exists, update the /etc/security/audit_control file to send all audit records to syslog and update /etc/syslog.conf to send all audit messages to a remote server.
/etc/security/audit_control:
plugin:name=audit_syslog.so.1; p_flags=all
/etc/syslog.conf:
audit.* @<remote syslog server>
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_10_x86_V2R4_STIG.zip
Item Details
Audit Name: DISA STIG Solaris 10 X86 v2r4
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-9(2), CAT|III, CCI|CCI-001348, Rule-ID|SV-227737r603266_rule, STIG-ID|GEN002870, STIG-Legacy|SV-39881, STIG-Legacy|V-24357, Vuln-ID|V-227737
Plugin: Unix
Control ID: 2e11835ecf47f2cd21bf08ed4f91cfd445154cdaa32f7b288cd710891b40ec11