Detections
Analytics
SOL-11.1-010440 - The operating system must protect audit information from unauthorized access.
Information
If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve.To ensure the veracity of audit data, the operating system must protect audit information from unauthorized access.
Satisfies: SRG-OS-000057, SRG-OS-000058, SRG-OS-000059
Solution
Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.The root role is required.
This action applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this action applies.
Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile|
The output will appear in this form:
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
The p_dir attribute defines the location of the audit directory.
# chown root [directory]
# chgrp root [directory]
# chmod 750 [directory]
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_11_x86_V3R4_STIG.zip
Item Details
Audit Name: DISA Solaris 11 X86 STIG v3r4
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-9, CAT|II, CCI|CCI-000162, CCI|CCI-000163, Rule-ID|SV-216042r958434_rule, STIG-ID|SOL-11.1-010440, STIG-Legacy|SV-60741, STIG-Legacy|V-47869, Vuln-ID|V-216042
Plugin: Unix
Control ID: 28cbe5d652d861d84e6d22e95a73d198f87132f0a2e1b5fd8abeb6832e58b63b