STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must produce audit records containing information to establish where the events occurred.

DISA Rule

SV-215237r508663_rule

Vulnerability Number

V-215237

Group Title

SRG-OS-000039-GPOS-00017

Rule Version

AIX7-00-002003

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start

Check Contents

Verify audit event detailed information is displayed:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -v

event login status time command
wpar name
--------------- -------- ----------- ------------------------ ------------------
------------- -------------------------
FS_Chdir root OK Sat Aug 26 19:31:37 2017 ps
Global
change current directory to: /dev
FS_Chdir root OK Sat Aug 26 19:31:47 2017 ps
Global
change current directory to: /dev
FS_Chdir root OK Sat Aug 26 19:31:57 2017 ps
Global
change current directory to: /dev
FS_Chdir root OK Sat Aug 26 19:32:07 2017 ps
Global
change current directory to: /dev
FS_Chdir root OK Sat Aug 26 19:32:17 2017 ps
Global
change current directory to: /dev

If event detailed information is not displayed, this is a finding.
More information on the command options used above:
- v detailed information for the event

Vulnerability Number

V-215237

Documentable

False

Rule Version

AIX7-00-002003

Severity Override Guidance

Verify audit event detailed information is displayed:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -v

event login status time command
wpar name
--------------- -------- ----------- ------------------------ ------------------
------------- -------------------------
FS_Chdir root OK Sat Aug 26 19:31:37 2017 ps
Global
change current directory to: /dev
FS_Chdir root OK Sat Aug 26 19:31:47 2017 ps
Global
change current directory to: /dev
FS_Chdir root OK Sat Aug 26 19:31:57 2017 ps
Global
change current directory to: /dev
FS_Chdir root OK Sat Aug 26 19:32:07 2017 ps
Global
change current directory to: /dev
FS_Chdir root OK Sat Aug 26 19:32:17 2017 ps
Global
change current directory to: /dev

If event detailed information is not displayed, this is a finding.
More information on the command options used above:
- v detailed information for the event

Check Content Reference

M

Target Key

4012

Comments