STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must produce audit records containing information to establish the outcome of the events.

DISA Rule

SV-215239r508663_rule

Vulnerability Number

V-215239

Group Title

SRG-OS-000041-GPOS-00019

Rule Version

AIX7-00-002005

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start

Check Contents

Verify the audit event "status" is displayed:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -helRtcp

event login status time command
process
--------------- -------- ----------- ------------------------ ------------------
------------- --------
PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit
9437656
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh
12976466
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ls
9437658

If audit status is not displayed, this is a finding.

More information on the command options used above:
-e the audit event.
-l the login name of the user.
-R the audit status.
-t the time the record was written.
-c the command name.
-p the process ID.

Vulnerability Number

V-215239

Documentable

False

Rule Version

AIX7-00-002005

Severity Override Guidance

Verify the audit event "status" is displayed:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -helRtcp

event login status time command
process
--------------- -------- ----------- ------------------------ ------------------
------------- --------
PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit
9437656
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh
12976466
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ls
9437658

If audit status is not displayed, this is a finding.

More information on the command options used above:
-e the audit event.
-l the login name of the user.
-R the audit status.
-t the time the record was written.
-c the command name.
-p the process ID.

Check Content Reference

M

Target Key

4012

Comments