The audit system must identify in which zone an event occurred.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-216477	SRG-OS-000480	SOL-11.1-100040	SV-216477r959010_rule	2024-11-25	3

Description
Tracking the specific Solaris zones in the audit trail reduces the time required to determine the cause of a security event.

ℹ️ Check
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi \| grep -v global The Audit Configuration profile is required. Determine whether the "zonename" auditing policy is in effect. # pfexec auditconfig -getpolicy \| grep active \| grep zonename If no output is returned, this is a finding.

ℹ️ Check

This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi | grep -v global The Audit Configuration profile is required. Determine whether the "zonename" auditing policy is in effect. # pfexec auditconfig -getpolicy | grep active | grep zonename If no output is returned, this is a finding.

✔️ Fix
This check applies to the global zone only. Determine the zone that you are currently securing. # zonename If the command output is "global", this check applies. List the non-global zones on the system. # zoneadm list -vi \| grep -v global The Audit Configuration profile is required. Enable the "zonename" auditing policy. # pfexec auditconfig -setpolicy +zonename