First of all I would like to say I'm not a Linux/Solaris guy, but just assigned task to look at 1 particular item in hardening checklist, so thinking to seek help here to understand more.
From the current checklist there are these command below:
dir=`awk -F: '($1 == "dir") { print $2 }' \ /etc/security/audit_control`
chown root:root $dir/*
chmod go-rwx $dir/*
I understand this will read the audit_control file, look for the line with "dir" and print the column #2 to the variable, then set the directories owner and permission. However this file doesn't exist in my Solaris 11, and I did checked using "auditconfig -getcond" and the result is auditing (if it does matter).
1. From last sentense here I can see it mentioned the "dir" is deprecated in Solaris 10, so it at least still exists in Solaris 10, is the file being moved in Solaris 11? If yes where is it moved to?
2. Explore further I found the command "auditconfig -getplugin", which I can see the result is similar to the example in the link above. Is these the same info I'm looking for in /etc/security/audit_control?
I'm trying to achieve the hardening using script (if the same file still exist). Or else if the file was removed, I will need to change the steps to issue the "auditconfig -getplugin" command and manually check each directories owner and permission.
Any help/clarification is appreciated.
____________________________________________________________________________
Edit:
Additional finding on Snare Agent knowledgebase here, it stated:
With Solaris 10, when we install the audit_control file we indicate to use the Snare plugin by default... (followed by the contents of audit_control)
(Another paragraph)
Solaris 11 uses the service manager to handle the plugins rather than the audit_control file.
The auditconfig command can be used to configure this:
#auditconfig -getplugin
(Which is the command I found earlier)
Is that a clearer indicator that the audit_control file is no longer exists in Solaris 11? This is in fact third party statement, however I'm not sure why I'm not able to find info on obsoleteness of this file on Oracle site.
