4.5 Configure Solaris Auditing

Information

Solaris auditing service keeps a record of how a system is being used. Solaris auditing can be configured to record different classes of events based upon site policy. This recommendation will set and verify a consensus-developed auditing policy. That said, all organizations are encouraged to tailor this policy based upon their specific needs. For more information on the Solaris auditing service including how to filter and view events, see the Oracle Solaris product documentation.

The 'cis' class is a 'custom class' that CIS recommends creating that includes specifically those events that are of interest (defined in the sections above). In addition to those events, this recommendation also includes auditing of login and logout (lo) events, administrative (ad) events, file transfer (ft) events, and command execution (ex) events.

This recommendation also configures the Solaris auditing service to capture and report command line arguments (for command execution events) and the zone name in which a command was executed (for global and non-global zones). Further, this recommendation sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that includes /var/shares/audit), then a warning e-mail will be sent to advise the system administrators that audit events may be lost if the disk becomes full. Finally, this recommendation will also ensure that new audit trails are created at the start of each new day (to help keep the size of the files small to facilitate analysis).

Rationale:

The consensus settings described in this section are an effort to log interesting system events without consuming excessive amounts of resources logging significant but usually uninteresting system calls.

Solution

To enforce this setting, run the following commands:

# auditconfig -conf

# auditconfig -setflags lo,ad,ft,ex,cis

# auditconfig -setnaflags lo

# auditconfig -setpolicy cnt,argv,zonename

# auditconfig -setplugin audit_binfile active p_minfree=1

# audit -s

# rolemod -K audit_flags=lo,ad,ft,ex,cis:no root

# EDITOR=ed crontab -e root << END_CRON
$
a
0 0 * * * /usr/sbin/audit -n
.
w
q
END_CRON

# chown root:root /var/share/audit

# chmod 750 /var/share/audit

See Also

https://workbench.cisecurity.org/benchmarks/4777

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2

Plugin: Unix

Control ID: 88d40e084e7ebc6aa3b3b73bc7f9103162159b4585c67bab9fed8b2ff532b57a