STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX audit tools must be owned by root.

DISA Rule

SV-215248r508663_rule

Vulnerability Number

V-215248

Group Title

SRG-OS-000256-GPOS-00097

Rule Version

AIX7-00-002025

Severity

CAT II

CCI(s)

• CCI-001493 - The information system protects audit tools from unauthorized access.
• CCI-001494 - The information system protects audit tools from unauthorized modification.
• CCI-001495 - The information system protects audit tools from unauthorized deletion.

Weight

10

Fix Recommendation

For each audit tool in:
/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream

Set the owner to "root".
# chown root <audit tool>

For /usr/sbin/auditldap

Set the owner to "root".
# chown root /usr/sbin/auditldap

Check Contents

Check the following audit tools are owned by "root":

/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream
/usr/sbin/auditldap

# ls -l /usr/sbin/audit*|grep -v ldap
-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit
-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin
-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat
-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv
-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge
-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr
-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect
-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream
-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap

If any above file's ownership is not "root", this is a finding.

Vulnerability Number

V-215248

Documentable

False

Rule Version

AIX7-00-002025

Severity Override Guidance

Check the following audit tools are owned by "root":

/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream
/usr/sbin/auditldap

# ls -l /usr/sbin/audit*|grep -v ldap
-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit
-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin
-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat
-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv
-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge
-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr
-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect
-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream
-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap

If any above file's ownership is not "root", this is a finding.

Check Content Reference

M

Target Key

4012

Comments