STIGQter STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must produce audit records containing information to establish what the date, time, and type of events that occurred.

DISA Rule

SV-215236r508663_rule

Vulnerability Number

V-215236

Group Title

SRG-OS-000037-GPOS-00015

Rule Version

AIX7-00-002001

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start

Check Contents

Check if audit is turned on by running the following command:

# audit query | grep -i auditing
auditing on

The command should yield the following output:
auditing on

If the command shows "auditing off", this is a finding.

The log file can be set by the "trail" variable in /etc/security/audit/config.
# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is "/audit/trail".

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -helRtcp

event login status time command process
--------------- -------- ----------- ------------------------ ------------------------------- --------
PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit 9437656
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh 12976466
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658
PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls 9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ls 9437658

If event type is not displayed, this is a finding.

More information on the command options used above:
-e the audit event.
-l the login name of the user.
-R the audit status.
-t the time the record was written.
-c the command name.
-p the process ID.

Vulnerability Number

V-215236

Documentable

False

Rule Version

AIX7-00-002001

Severity Override Guidance

Check if audit is turned on by running the following command:

# audit query | grep -i auditing
auditing on

The command should yield the following output:
auditing on

If the command shows "auditing off", this is a finding.

The log file can be set by the "trail" variable in /etc/security/audit/config.
# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is "/audit/trail".

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -helRtcp

event login status time command process
--------------- -------- ----------- ------------------------ ------------------------------- --------
PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit 9437656
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh 12976466
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658
PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls 9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ls 9437658

If event type is not displayed, this is a finding.

More information on the command options used above:
-e the audit event.
-l the login name of the user.
-R the audit status.
-t the time the record was written.
-c the command name.
-p the process ID.

Check Content Reference

M

Target Key

4012

Comments