STIGQter STIGQter: STIG Summary: Solaris 11 X86 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

A file integrity baseline must be created, maintained, and reviewed on at least weekly to determine if unauthorized changes have been made to important system files located in the root file system.

DISA Rule

SV-216221r603268_rule

Vulnerability Number

V-216221

Group Title

SRG-OS-000480

Rule Version

SOL-11.1-090010

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The root role is required.

Solaris 11 includes the Basic Account and Reporting Tool (BART) which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system.

Create a protected area to store BART manifests.
# mkdir /var/adm/log/bartlogs
# chmod 700 /var/adm/log/bartlogs

After initial installation and configuration of the system, create a manifest report of the current baseline.

# bart create > /var/adm/log/bartlogs/[baseline manifest filename]

Check Contents

The root role is required.

Solaris 11 includes the Basic Account and Reporting Tool (BART) which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system.

A Baseline BART manifest may exist in:
/var/adm/log/bartlogs/[control manifest filename]

If a BART manifest does not exist, this is a finding.

At least weekly, create a new BART baseline report.

# bart create > /var/adm/log/bartlogs/[new manifest filename]

Compare the new report to the previous report to identify any changes in the system baseline.

# bart compare /var/adm/log/bartlogs/[baseline manifest filename> /var/adm/log/bartlogs/[new manifest filename]

Examine the BART report for changes. If there are changes to system files in /etc that are not approved, this is a finding.

Vulnerability Number

V-216221

Documentable

False

Rule Version

SOL-11.1-090010

Severity Override Guidance

The root role is required.

Solaris 11 includes the Basic Account and Reporting Tool (BART) which uses cryptographic-strength checksums and file system metadata to determine changes. By default, the manifest generator catalogs all attributes of all files in the root (/) file system. File systems mounted on the root file system are cataloged only if they are of the same type as the root file system.

A Baseline BART manifest may exist in:
/var/adm/log/bartlogs/[control manifest filename]

If a BART manifest does not exist, this is a finding.

At least weekly, create a new BART baseline report.

# bart create > /var/adm/log/bartlogs/[new manifest filename]

Compare the new report to the previous report to identify any changes in the system baseline.

# bart compare /var/adm/log/bartlogs/[baseline manifest filename> /var/adm/log/bartlogs/[new manifest filename]

Examine the BART report for changes. If there are changes to system files in /etc that are not approved, this is a finding.

Check Content Reference

M

Target Key

4021

Comments