Information
The Solaris Audit service can be configured to record incoming network connections to any
listening service running on the system.
Rationale:
This recommendation will provide an audit trail that contains information related to
incoming network connections. While this functionality can be enabled using service-
specific mechanisms, using the Solaris Audit service provides a more centralized and
complete window into incoming network activity.
Solution
To enforce this setting, use the commands to modify the /etc/security/audit_event file
and add the cis audit class to the following audit events:
# cp /etc/security/audit_event /etc/security/audit_event.orig
# awk 'BEGIN{FS=":"; OFS=":"} {if ($2 ~
/AUE_ACCEPT|AUE_CONNECT|AUE_SOCKACCEPT|AUE_SOCKCONNECT|AUE_inetd_connect/)
$4=$4",cis";} {print} ' etc/security/audit_event >
/etc/security/audit_event.out
# cp /etc/security/audit_event.out /etc/security/audit_event