STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The operating system must protect audit information from unauthorized access.

DISA Rule

SV-216042r603268_rule

Vulnerability Number

V-216042

Group Title

SRG-OS-000057

Rule Version

SOL-11.1-010440

Severity

CAT II

CCI(s)

• CCI-000162 - The information system protects audit information from unauthorized access.
• CCI-000163 - The information system protects audit information from unauthorized modification.

Weight

10

Fix Recommendation

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

The root role is required.

This action applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this action applies.

Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile|

The output will appear in this form:

Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1

The p_dir attribute defines the location of the audit directory.

# chown root [directory]
# chgrp root [directory]
# chmod 750 [directory]

Check Contents

The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the directory storing the audit files is owned by root and has permissions 750 or less.

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile

The output will appear in this form:

Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1

The p_dir attribute defines the location of the audit directory.
# ls -ld /var/share/audit

Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.

Vulnerability Number

V-216042

Documentable

False

Rule Version

SOL-11.1-010440

Severity Override Guidance

The root role is required.

This check applies to the global zone only. Determine the zone that you are currently securing.

# zonename

If the command output is "global", this check applies.

Check that the directory storing the audit files is owned by root and has permissions 750 or less.

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.

Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile

The output will appear in this form:

Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1

The p_dir attribute defines the location of the audit directory.
# ls -ld /var/share/audit

Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.

Check Content Reference

M

Target Key

4021

Comments