STIGQter: STIG Summary: Solaris 10 SPARC Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 22 Jan 2021:

The system must be configured to send audit records to a remote audit server.

DISA Rule

SV-226611r603265_rule

Vulnerability Number

V-226611

Group Title

SRG-OS-000215

Rule Version

GEN002870

Severity

CAT III

CCI(s)

• CCI-001348 - The information system backs up audit records on an organization-defined frequency onto a different system or system component than the system or component being audited.

Weight

10

Fix Recommendation

Update the /etc/security/audit_control file to save audit records to a remote NFS mount.

dir:<remote NFS directory>

OR

If the /usr/lib/security/audit_syslog.so* exists, update the /etc/security/audit_control file to send all audit records to syslog and update /etc/syslog.conf to send all audit messages to a remote server.

/etc/security/audit_control:
plugin:name=audit_syslog.so.1; p_flags=all

/etc/syslog.conf:
audit.* @<remote syslog server>

Check Contents

Audit records may be sent to a remote server in two ways, via an NFS mount of the audit directory, or via the audit_syslog plugin (if available).

NFS:
Check the "dir" parameter in /etc/security/audit_control. If the directory is on an NFS mount to a remote server, there is no finding.

SYSLOG:
Check the "plugin" parameter in /etc/security/audit_control. Confirm that the audit_syslog.so* plugin is listed with "p_flags=all".
# grep audit_syslog.so /etc/security/audit_control
Check that syslogd is sending messages to a remote server (GEN005450):
# grep '@' /etc/syslog.conf | grep -v '^#'
If both auditd is configured to send audit records to syslog, and syslogd is configured to send messages to a remote server, there is no finding.

If auditd is saving audit records on a local directory, and audit records are not being sent to a remote server via syslog, this is a finding.

Vulnerability Number

V-226611

Documentable

False

Rule Version

GEN002870

Severity Override Guidance

Audit records may be sent to a remote server in two ways, via an NFS mount of the audit directory, or via the audit_syslog plugin (if available).

NFS:
Check the "dir" parameter in /etc/security/audit_control. If the directory is on an NFS mount to a remote server, there is no finding.

SYSLOG:
Check the "plugin" parameter in /etc/security/audit_control. Confirm that the audit_syslog.so* plugin is listed with "p_flags=all".
# grep audit_syslog.so /etc/security/audit_control
Check that syslogd is sending messages to a remote server (GEN005450):
# grep '@' /etc/syslog.conf | grep -v '^#'
If both auditd is configured to send audit records to syslog, and syslogd is configured to send messages to a remote server, there is no finding.

If auditd is saving audit records on a local directory, and audit records are not being sent to a remote server via syslog, this is a finding.

Check Content Reference

M

Target Key

4060

Comments