SV-216269r603267_rule
V-216269
SRG-OS-000061
SOL-11.1-010350
CAT III
10
Service Management, Audit Configuration and Audit Control rights profile is required.
This action applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this action applies.
Configure Solaris 11 to use the syslog audit plugin
# pfexec auditconfig -setplugin audit_syslog active
Determine which system-log service instance is online.
# pfexec svcs system-log
If the default system-log service is online:
# pfedit /etc/syslog.conf
Add the line:
audit.notice @[remotesystemname]
or
audit.notice ![remotesystemname]
Replacing the remote system name with the correct hostname.
If the rsyslog service is online, modify the /etc/rsyslog.conf file.
# pfedit /etc/rsyslog.conf
Add the line:
*.* @@[remotesystemname]
Or
*.* :omrelp:[remotesystemname]:[designatedportnumber]
Replacing the remote system name with the correct hostname.
Create the log file on the remote system
# touch /var/adm/auditlog
Refresh the syslog service
# pfexec svcadm refresh system/system-log:default
or
# pfexec svcadm refresh system/system-log:rsyslog
Refresh the audit service
# pfexec audit -s
Audit Configuration rights profile is required.
This check applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this check applies.
Check that the syslog audit plugin is enabled.
# pfexec auditconfig -getplugin | grep audit_syslog
If "inactive" appears, this is a finding.
Determine which system-log service instance is online.
# pfexec svcs system-log
Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly:
# grep audit.notice /etc/syslog.conf
or
# grep @@ /etc/rsyslog.conf
If
audit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration)
or
*.* @@remotesystemname (rsyslog configuration)
points to an invalid remote system or is commented out, this is a finding.
If no output is produced, this is a finding.
Check the remote syslog host to ensure that audit records can be found for this host.
V-216269
False
SOL-11.1-010350
Audit Configuration rights profile is required.
This check applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this check applies.
Check that the syslog audit plugin is enabled.
# pfexec auditconfig -getplugin | grep audit_syslog
If "inactive" appears, this is a finding.
Determine which system-log service instance is online.
# pfexec svcs system-log
Check that the /etc/syslog.conf or /etc/rsyslog.conf file is configured properly:
# grep audit.notice /etc/syslog.conf
or
# grep @@ /etc/rsyslog.conf
If
audit.notice @remotesystemname , audit.notice !remotesystemname (syslog configuration)
or
*.* @@remotesystemname (rsyslog configuration)
points to an invalid remote system or is commented out, this is a finding.
If no output is produced, this is a finding.
Check the remote syslog host to ensure that audit records can be found for this host.
M
4022