Title

The audit system must identify in which zone an event occurred. (Cat III impact)

Discussion

Tracking the specific Solaris zones in the audit trail reduces the time required to determine the cause of a security event.

Check Content

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Determine whether the "zonename" auditing policy is in effect. # pfexec auditconfig -getpolicy | grep active | grep zonename If no output is returned, this is a finding.

Fix Text

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Enable the "zonename" auditing policy. # pfexec auditconfig -setpolicy +zonename

Additional Identifiers

Rule ID: SV-216477r959010_rule

Vulnerability ID: V-216477

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.