STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX must produce audit records containing the full-text recording of privileged commands.

DISA Rule

SV-215240r508663_rule

Vulnerability Number

V-215240

Group Title

SRG-OS-000042-GPOS-00020

Rule Version

AIX7-00-002006

Severity

CAT II

CCI(s)

• CCI-000135 - The information system generates audit records containing the organization-defined additional, more detailed information that is to be included in the audit records.

Weight

10

Fix Recommendation

Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start

Check Contents

Verify the audit daemon is configured for full-text recording of privileged commands:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -v

event login status time command
wpar name
--------------- -------- ----------- ------------------------ ------------------
------------- -------------------------
S_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron
Global
audit object read event detected /etc/security/passwd
S_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron
Global
audit object read event detected /etc/security/passwd
CRON_Start root OK Sat Aug 26 19:35:00 2017 cron
Global
event = start cron job cmd = /usr/sbin/dumpctrl -k >/dev/null 2>/dev/nul
l time = Sat Aug 26 19:35:00 2017
FS_Chdir root OK Sat Aug 26 19:35:00 2017 cron
Global
change current directory to: /

If the full-text recording of privileged command is not displayed, this is a finding.

More information on the command options used above:
- v detailed information for the event

Vulnerability Number

V-215240

Documentable

False

Rule Version

AIX7-00-002006

Severity Override Guidance

Verify the audit daemon is configured for full-text recording of privileged commands:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -v

event login status time command
wpar name
--------------- -------- ----------- ------------------------ ------------------
------------- -------------------------
S_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron
Global
audit object read event detected /etc/security/passwd
S_PASSWD_READ root OK Sat Aug 26 19:35:00 2017 cron
Global
audit object read event detected /etc/security/passwd
CRON_Start root OK Sat Aug 26 19:35:00 2017 cron
Global
event = start cron job cmd = /usr/sbin/dumpctrl -k >/dev/null 2>/dev/nul
l time = Sat Aug 26 19:35:00 2017
FS_Chdir root OK Sat Aug 26 19:35:00 2017 cron
Global
change current directory to: /

If the full-text recording of privileged command is not displayed, this is a finding.

More information on the command options used above:
- v detailed information for the event

Check Content Reference

M

Target Key

4012

Comments