Information
This recommendation implements a local syslog configuration.
Rationale:
Establishing a logging process via syslog provides system and security administrators with pertinent information relating to: login, mail, daemon, user and kernel activity. The recommendation is to enable local syslog logging, with a weekly rotation policy in a four weekly cycle. The log rotation isolates historical data which can be reviewed retrospectively if an issue is uncovered at a later date.
Impact:
This recommendation is manual because there are likely local requirements that surpass the basic recommendation here.
Solution
Explicitly define a log file for the auth.info output in /etc/syslog.conf:
printf 'auth.infott/var/adm/authlog rotate time 1w files 4
' >> /etc/syslog.conf
NOTE: This ensures that remote login, sudo or su attempts are logged separately
Create the authlog file and make it readable by root only:
touch /var/adm/authlog
chown root:system /var/adm/authlog
chmod u=rw,go= /var/adm/authlog
Create an entry in /etc/syslog.conf to capture all other output of level info or higher, excluding authentication information, as this is to be captured within /var/adm/authlog:
printf '*.info;auth.nonet/var/adm/syslog rotate time 1w files 4
' >> /etc/syslog.conf
Create the syslog file:
touch /var/adm/syslog
chmod u=rw,g=r,o= /var/adm/syslog
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Default Value:
Not configured
Additional Information:
Reversion:
Edit /etc/syslog.conf and remove the authlog and syslog entries:
vi /etc/syslog.conf
Remove:
auth.info /var/adm/authlog rotate time 1w files 4
*.info;auth.none /var/adm/syslog rotate time 1w files 4
Refresh syslogd to force the daemon to read the edited /etc/syslog.conf:
refresh -s syslogd
Delete the authlog and syslog files:
rm /var/adm/authlog /var/adm/syslog