STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The operating system must protect against an individual falsely denying having performed a particular action. In order to do so the system must be configured to send audit records to a remote audit server.

DISA Rule

SV-216034r603268_rule

Vulnerability Number

V-216034

Group Title

SRG-OS-000061

Rule Version

SOL-11.1-010350

Severity

CAT III

CCI(s)

• CCI-000166 - The information system protects against an individual (or process acting on behalf of an individual) falsely denying having performed organization-defined actions to be covered by non-repudiation.

Weight

10

Fix Recommendation

Service Management, Audit Configuration and Audit Control rights profile is required.

This action applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this action applies.

Configure Solaris 11 to use the syslog audit plugin

# pfexec auditconfig -setplugin audit_syslog active

Determine which system-log service instance is online.

# pfexec svcs system-log

If the default system-log service is online:

# pfedit /etc/syslog.conf

Add the line:

audit.notice @[remotesystemname]
or
audit.notice ![remotesystemname]

Replacing the remote system name with the correct hostname.

If the rsyslog service is online, modify the /etc/rsyslog.conf file.

# pfedit /etc/rsyslog.conf

Add the line:

*.* @@[remotesystemname]
Or
*.* :omrelp:[remotesystemname]:[designatedportnumber]

Replacing the remote system name with the correct hostname.

Create the log file on the remote system

# touch /var/adm/auditlog

Refresh the syslog service

# pfexec svcadm refresh system/system-log:default

or

# pfexec svcadm refresh system/system-log:rsyslog

Refresh the audit service

# pfexec audit -s

Check Contents

Audit Configuration rights profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the syslog audit plugin is enabled.

# pfexec auditconfig -getplugin | grep audit_syslog

If "inactive" appears, this is a finding.

Determine which system-log service instance is online.

# pfexec svcs system-log

Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly:

# grep audit.notice /etc/syslog.conf
or
# grep @@ /etc/rsyslog.conf

If
audit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration)
or
*.* @@remotesystemname (rsyslog configuration)
points to an invalid remote system or is commented out, this is a finding.

If no output is produced, this is a finding.

Check the remote syslog host to ensure that audit records can be found for this host.

Vulnerability Number

V-216034

Documentable

False

Rule Version

SOL-11.1-010350

Severity Override Guidance

Audit Configuration rights profile is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the syslog audit plugin is enabled.

# pfexec auditconfig -getplugin | grep audit_syslog

If "inactive" appears, this is a finding.

Determine which system-log service instance is online.

# pfexec svcs system-log

Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly:

# grep audit.notice /etc/syslog.conf
or
# grep @@ /etc/rsyslog.conf

If
audit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration)
or
*.* @@remotesystemname (rsyslog configuration)
points to an invalid remote system or is commented out, this is a finding.

If no output is produced, this is a finding.

Check the remote syslog host to ensure that audit records can be found for this host.

Check Content Reference

M

Target Key

4021

Comments