STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.

DISA Rule

SV-215238r508663_rule

Vulnerability Number

V-215238

Group Title

SRG-OS-000040-GPOS-00018

Rule Version

AIX7-00-002004

Severity

CAT II

CCI(s)

• CCI-000133 - The information system generates audit records containing information that establishes the source of the event.
• CCI-001487 - The information system generates audit records containing information that establishes the identity of any individuals or subjects associated with the event.

Weight

10

Fix Recommendation

Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start

Check Contents

Verify the audit event "process id" is displayed:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -helRtcp

event login status time command
process
--------------- -------- ----------- ------------------------ ------------------
------------- --------
PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit
9437656
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh
12976466
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ls
9437658

If user id or process id is not displayed, this is a finding.

More information on the command options used above:
-e the audit event.
-l the login name of the user.
-R the audit status.
-t the time the record was written.
-c the command name.
-p the process ID.

Vulnerability Number

V-215238

Documentable

False

Rule Version

AIX7-00-002004

Severity Override Guidance

Verify the audit event "process id" is displayed:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -helRtcp

event login status time command
process
--------------- -------- ----------- ------------------------ ------------------
------------- --------
PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit
9437656
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh
12976466
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ls
9437658

If user id or process id is not displayed, this is a finding.

More information on the command options used above:
-e the audit event.
-l the login name of the user.
-R the audit status.
-t the time the record was written.
-c the command name.
-p the process ID.

Check Content Reference

M

Target Key

4012

Comments