4.5 Configure Solaris Auditing - active user default audit flags

Information

Solaris auditing service keeps a record of how a system is being used. Solaris auditing can
be configured to record different classes of events based upon site policy. This
recommendation will set and verify a consensus-developed auditing policy. That said, all
organizations are encouraged to tailor this policy based upon their specific needs. For more
information on the Solaris auditing service including how to filter and view events, see the
Oracle Solaris product documentation.The 'cis' class is a 'custom class' that CIS recommends creating that includes specifically
those events that are of interest (defined in the sections above). In addition to those events,
this recommendation also includes auditing of login and logout (lo) events, administrative
(ad) events, file transfer (ft) events, and command execution (ex) events.This recommendation also configures the Solaris auditing service to capture and report
command line arguments (for command execution events) and the zone name in which a
command was executed (for global and non-global zones). Further, this recommendation
sets a disk utilization threshold of 1%. If this threshold is crossed (for the volume that
includes /var/shares/audit), then a warning e-mail will be sent to advise the system
administrators that audit events may be lost if the disk becomes full. Finally, this
recommendation will also ensure that new audit trails are created at the start of each new
day (to help keep the size of the files small to facilitate analysis).

The consensus settings described in this section are an effort to log interesting system
events without consuming excessive amounts of resources logging significant but usually
uninteresting system calls.

Solution

To enforce this setting, use the commands-# auditconfig -conf
# auditconfig -setflags lo,ad,ft,ex,cis
# auditconfig -setnaflags lo
# auditconfig -setpolicy cnt,argv,zonename
# auditconfig -setplugin audit_binfile active p_minfree=1
# audit -s
# rolemod -K audit_flags=lo,ad,ft,ex,cis-no root
# EDITOR=ed crontab -e root << END_CRON
$
a
0 0 * * * /usr/sbin/audit -n
.
w
q
END_CRON
# chown root-root /var/shares/audit
# chmod 750 /var/shares/audit
5 File/Directory Permissions/AccessFile and directory permission control is one of the greatest challenges of secure system
administration. This section provides guidance on how to secure system files and
directories and set secure defaults for users. Guidance for monitoring user and system files
on an on-going basis is provided in the System Maintenance section of this document.

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: b2cf3b770f4bf56ae68f1872797803d44c90cebd3776904493bc536f8753cd15