The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.

From Solaris 11 SPARC Security Technical Implementation Guide

Part of SRG-OS-000061

Associated with: CCI-000166

SV-60703r2_rule The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.

Vulnerability discussion

Keeping audit records on a remote system reduces the likelihood of audit records being changed or corrupted. Duplicating and protecting the audit trail on a separate system reduces the likelihood of an individual being able to deny performing an action.

Check content

Audit Configuration rights profile is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the syslog audit plugin is enabled. # pfexec auditconfig -getplugin | grep audit_syslog If "inactive" appears, this is a finding. Determine which system-log service instance is online. # pfexec svcs system-log Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly: # grep audit.notice /etc/syslog.conf or # grep audit.notice /etc/rsyslog.conf If audit.notice @remotesystemname points to an invalid remote system, this is a finding. If no output is produced, this is a finding. Check the remote syslog host to ensure that audit records can be found for this host.

Fix text

Service Management, Audit Configuration and Audit Control rights profile is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Configure Solaris 11 to use the syslog audit plugin # pfexec auditconfig -setplugin audit_syslog active Determine which system-log service instance is online. # pfexec svcs system-log If the default system-log service is online: # pfedit /etc/syslog.conf Add the line: audit.notice @[remotesystemname] Replacing the remote system name with the correct hostname. If the rsyslog service is online, modify the /etc/rsyslog.conf file. # pfedit /etc/rsyslog.conf Add the line: audit.notice @[remotesystemname] Replacing the remote system name with the correct hostname. Create the log file on the remote system # touch /var/adm/auditlog Refresh the syslog service # pfexec svcadm refresh system/system-log:default or # pfexec svcadm refresh system/system-log:rsyslog Refresh the audit service # pfexec audit -s

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer