STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 25 Apr 2019: AIX must provide audit record generation functionality for DoD-defined auditable events.

DISA Rule

SV-101873r1_rule

Vulnerability Number

V-91775

Group Title

SRG-OS-000062-GPOS-00031

Rule Version

AIX7-00-002016

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Use the "stig_audit_config.txt" file to configure the AIX audit process.

Edit the /etc/security/audit/objects file and add or update the following lines to the listed values:

/etc/security/environ:
w = "S_ENVIRON_WRITE"

/etc/security/group:
w = "S_GROUP_WRITE"

/etc/group:
w = "S_GROUP_WRITE"

/etc/security/limits:
w = "S_LIMITS_WRITE"

/etc/security/login.cfg:
w = "S_LOGIN_WRITE"

/etc/security/passwd:
r = "S_PASSWD_READ"
w = "S_PASSWD_WRITE"

/etc/security/user:
w = "S_USER_WRITE"

/etc/security/audit/config:
w = "AUD_CONFIG_WR"


Restart the audit process:
# /usr/sbin/audit shutdown
# /usr/sbin/audit start

Note: There are multiple default "classes" defined in the "/etc/security/audit/config" file. The only audit class that is required by this document is the "stig_aud_class". All other defined classes can be removed at the discretion of the organization.

Check Contents

Ensure that auditing is properly configured.

Run the "stig_audit_check.sh" script.

If any results are returned from the script, this is a finding.

Verify that the file "/etc/security/audit/config" includes the following:

bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off

If any of the configurations listed above is missing or not set to the listed value, this is a finding.

Verify that the file "/etc/security/audit/objects" includes the following objects:

/etc/security/environ:
w = "S_ENVIRON_WRITE"

/etc/security/group:
w = "S_GROUP_WRITE"

/etc/group:
w = "S_GROUP_WRITE"

/etc/security/limits:
w = "S_LIMITS_WRITE"

/etc/security/login.cfg:
w = "S_LOGIN_WRITE"

/etc/security/passwd:
r = "S_PASSWD_READ"
w = "S_PASSWD_WRITE"

/etc/security/user:
w = "S_USER_WRITE"

/etc/security/audit/config:
w = "AUD_CONFIG_WR"

If any of the objects listed above are missing from "/etc/security/audit/objects", this is a finding.

Vulnerability Number

V-91775

Documentable

False

Rule Version

AIX7-00-002016

Severity Override Guidance

Ensure that auditing is properly configured.

Run the "stig_audit_check.sh" script.

If any results are returned from the script, this is a finding.

Verify that the file "/etc/security/audit/config" includes the following:

bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off

If any of the configurations listed above is missing or not set to the listed value, this is a finding.

Verify that the file "/etc/security/audit/objects" includes the following objects:

/etc/security/environ:
w = "S_ENVIRON_WRITE"

/etc/security/group:
w = "S_GROUP_WRITE"

/etc/group:
w = "S_GROUP_WRITE"

/etc/security/limits:
w = "S_LIMITS_WRITE"

/etc/security/login.cfg:
w = "S_LOGIN_WRITE"

/etc/security/passwd:
r = "S_PASSWD_READ"
w = "S_PASSWD_WRITE"

/etc/security/user:
w = "S_USER_WRITE"

/etc/security/audit/config:
w = "AUD_CONFIG_WR"

If any of the objects listed above are missing from "/etc/security/audit/objects", this is a finding.

Check Content Reference

M

Target Key

3491

Comments