SV-216277r603267_rule
V-216277
SRG-OS-000057
SOL-11.1-010440
CAT II
10
Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.
The root role is required.
This action applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this action applies.
Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile|
The output will appear in this form:
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
The p_dir attribute defines the location of the audit directory.
# chown root [directory]
# chgrp root [directory]
# chmod 750 [directory]
The root role is required.
This check applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this check applies.
Check that the directory storing the audit files is owned by root and has permissions 750 or less.
Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.
Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile
The output will appear in this form:
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
The p_dir attribute defines the location of the audit directory.
# ls -ld /var/share/audit
Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.
V-216277
False
SOL-11.1-010440
The root role is required.
This check applies to the global zone only. Determine the zone that you are currently securing.
# zonename
If the command output is "global", this check applies.
Check that the directory storing the audit files is owned by root and has permissions 750 or less.
Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE.
Determine the location of the audit trail files
# pfexec auditconfig -getplugin audit_binfile
The output will appear in this form:
Plugin: audit_binfile (active)
Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1
The p_dir attribute defines the location of the audit directory.
# ls -ld /var/share/audit
Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.
M
4022