STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must provide audit record generation functionality for DoD-defined auditable events.

DISA Rule

SV-215246r508663_rule

Vulnerability Number

V-215246

Group Title

SRG-OS-000062-GPOS-00031

Rule Version

AIX7-00-002016

Severity

CAT II

CCI(s)

CCI-000169 - The information system provides audit record generation capability for the auditable events defined in AU-2 a. at organization-defined information system components.
CCI-000154 - The information system provides the capability to centrally review and analyze audit records from multiple components within the system.
CCI-000018 - The information system automatically audits account creation actions.
CCI-000172 - The information system generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
CCI-001813 - The information system enforces access restrictions.
CCI-001686 - The information system notifies organization-defined personnel or roles for account removal actions.
CCI-002130 - The information system automatically audits account enabling actions.
CCI-002132 - The information system notifies organization-defined personnel or roles for account enabling actions.
CCI-001403 - The information system automatically audits account modification actions.
CCI-001404 - The information system automatically audits account disabling actions.
CCI-001405 - The information system automatically audits account removal actions.
CCI-002234 - The information system audits the execution of privileged functions.
CCI-002884 - The organization audits nonlocal maintenance and diagnostic sessions^ organization-defined audit events.

Weight

Fix Recommendation

Use the "stig_audit_config.txt" file to configure the AIX audit process.

Edit the /etc/security/audit/objects file and add or update the following lines to the listed values:

/etc/security/environ:
w = "S_ENVIRON_WRITE"

/etc/security/group:
w = "S_GROUP_WRITE"

/etc/group:
w = "S_GROUP_WRITE"

/etc/security/limits:
w = "S_LIMITS_WRITE"

/etc/security/login.cfg:
w = "S_LOGIN_WRITE"

/etc/security/passwd:
r = "S_PASSWD_READ"
w = "S_PASSWD_WRITE"

/etc/security/user:
w = "S_USER_WRITE"

/etc/security/audit/config:
w = "AUD_CONFIG_WR"

Restart the audit process:
# /usr/sbin/audit shutdown
# /usr/sbin/audit start

Note: There are multiple default "classes" defined in the "/etc/security/audit/config" file. The only audit class that is required by this document is the "stig_aud_class". All other defined classes can be removed at the discretion of the organization.

Check Contents

Ensure that auditing is properly configured.

Run the "stig_audit_check.sh" script.

If any results are returned from the script, this is a finding.

Verify that the file "/etc/security/audit/objects" includes the following objects:

/etc/security/environ:
w = "S_ENVIRON_WRITE"

/etc/security/group:
w = "S_GROUP_WRITE"

/etc/group:
w = "S_GROUP_WRITE"

/etc/security/limits:
w = "S_LIMITS_WRITE"

/etc/security/login.cfg:
w = "S_LOGIN_WRITE"

/etc/security/passwd:
r = "S_PASSWD_READ"
w = "S_PASSWD_WRITE"

/etc/security/user:
w = "S_USER_WRITE"

/etc/security/audit/config:
w = "AUD_CONFIG_WR"

If any of the objects listed above are missing from "/etc/security/audit/objects", this is a finding.

Vulnerability Number

V-215246

Documentable

False

Rule Version

AIX7-00-002016

Severity Override Guidance

Check Content Reference

Target Key

4012

AIX must provide audit record generation functionality for DoD-defined auditable events.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments