STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX audit tools must be group-owned by audit.

DISA Rule

SV-215249r508663_rule

Vulnerability Number

V-215249

Group Title

SRG-OS-000256-GPOS-00097

Rule Version

AIX7-00-002026

Severity

CAT II

CCI(s)

• CCI-001493 - The information system protects audit tools from unauthorized access.
• CCI-001494 - The information system protects audit tools from unauthorized modification.
• CCI-001495 - The information system protects audit tools from unauthorized deletion.

Weight

10

Fix Recommendation

For each audit tool in:
/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream

Set the group to "audit".
# chgrp audit <audit tool>

For /usr/sbin/auditldap:

Set the group to "security".
# chgrp security /usr/sbin/auditldap

Check Contents

Check the following audit tools are group-owned by "audit":

/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream

# ls -l /usr/sbin/audit*|grep -v ldap
-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit
-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin
-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat
-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv
-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge
-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr
-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect
-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream

If any above file's are not group-owned by "audit", this is a finding.

Verify that "/usr/sbin/auditldap" group-owned by "security":

# ls -l /usr/sbin/auditldap
-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap

If the group-owner of "/usr/sbin/auditldap" is not "security", this is a finding.

Vulnerability Number

V-215249

Documentable

False

Rule Version

AIX7-00-002026

Severity Override Guidance

Check the following audit tools are group-owned by "audit":

/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream

# ls -l /usr/sbin/audit*|grep -v ldap
-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit
-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin
-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat
-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv
-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge
-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr
-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect
-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream

If any above file's are not group-owned by "audit", this is a finding.

Verify that "/usr/sbin/auditldap" group-owned by "security":

# ls -l /usr/sbin/auditldap
-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap

If the group-owner of "/usr/sbin/auditldap" is not "security", this is a finding.

Check Content Reference

M

Target Key

4012

Comments