An error occurred:

Check: SOL-11.1-010440

Solaris 11 SPARC STIG: SOL-11.1-010440 (in versions v2 r10 through v2 r2)

Title

The operating system must protect audit information from unauthorized access. (Cat II impact)

Discussion

If audit data were to become compromised, then competent forensic analysis and discovery of the true source of potentially malicious system activity is difficult, if not impossible, to achieve. To ensure the veracity of audit data, the operating system must protect audit information from unauthorized access. Satisfies: SRG-OS-000057, SRG-OS-000058, SRG-OS-000059

Check Content

The root role is required. This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. Check that the directory storing the audit files is owned by root and has permissions 750 or less. Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # ls -ld /var/share/audit Check the audit directory is owned by root, group is root, and permissions are 750 (rwx r-- ---) or less. If the permissions are excessive, this is a finding.

Fix Text

Note: By default in Solaris 11.1, /var/audit is a link to /var/share/audit which is mounted on rpool/VARSHARE. The root role is required. This action applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this action applies. Determine the location of the audit trail files # pfexec auditconfig -getplugin audit_binfile| The output will appear in this form: Plugin: audit_binfile (active) Attributes: p_dir=/var/audit;p_fsize=0;p_minfree=1 The p_dir attribute defines the location of the audit directory. # chown root [directory] # chgrp root [directory] # chmod 750 [directory]

Additional Identifiers

Rule ID: SV-216277r603267_rule

Vulnerability ID: V-216277

Group Title: SRG-OS-000057

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000162

The information system protects audit information from unauthorized access.
CCI-000163

The information system protects audit information from unauthorized modification.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-9

Protection Of Audit Information