STIGQter: STIG Summary: IBM AIX 7.x Security Technical Implementation Guide Version: 2 Release: 2 Benchmark Date: 23 Apr 2021:

AIX audit tools must be set to 4550 or less permissive.

DISA Rule

SV-215250r508663_rule

Vulnerability Number

V-215250

Group Title

SRG-OS-000256-GPOS-00097

Rule Version

AIX7-00-002027

Severity

CAT II

CCI(s)

• CCI-001494 - The information system protects audit tools from unauthorized modification.
• CCI-001495 - The information system protects audit tools from unauthorized deletion.
• CCI-001493 - The information system protects audit tools from unauthorized access.

Weight

10

Fix Recommendation

For each audit tool in:
/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream

Set the permission to "4550".
# chmod 4550 <audit tool>

For /usr/sbin/auditldap:

Set the permission to "500".
# chmod 500 /usr/sbin/auditldap

Check Contents

Check the following audit tools are set to "4550" or less permissive:

/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream

# ls -l /usr/sbin/audit*|grep -v ldap
-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit
-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin
-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat
-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv
-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge
-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr
-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect
-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream

If any above file's permission is greater than "4550", this is a finding.

Verify that "/usr/sbin/auditldap" is set to "500" or less permissive:

# ls -l /usr/sbin/auditldap
-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap

If the permission of "/usr/sbin/auditldap" is greater than "500", this is a finding.

Vulnerability Number

V-215250

Documentable

False

Rule Version

AIX7-00-002027

Severity Override Guidance

Check the following audit tools are set to "4550" or less permissive:

/usr/sbin/audit
/usr/sbin/auditbin
/usr/sbin/auditcat
/usr/sbin/auditconv
/usr/sbin/auditmerge
/usr/sbin/auditpr
/usr/sbin/auditselect
/usr/sbin/auditstream

# ls -l /usr/sbin/audit*|grep -v ldap
-r-sr-x--- 1 root audit 64926 Mar 30 2016 /usr/sbin/audit
-r-sr-x--- 1 root audit 41240 Mar 30 2016 /usr/sbin/auditbin
-r-sr-x--- 1 root audit 40700 Mar 30 2016 /usr/sbin/auditcat
-r-sr-x--- 1 root audit 13072 Mar 30 2016 /usr/sbin/auditconv
-r-sr-x--- 1 root audit 11328 Mar 30 2016 /usr/sbin/auditmerge
-r-sr-x--- 1 root audit 53466 Mar 30 2016 /usr/sbin/auditpr
-r-sr-x--- 1 root audit 33128 Mar 30 2016 /usr/sbin/auditselect
-r-sr-x--- 1 root audit 29952 Mar 30 2016 /usr/sbin/auditstream

If any above file's permission is greater than "4550", this is a finding.

Verify that "/usr/sbin/auditldap" is set to "500" or less permissive:

# ls -l /usr/sbin/auditldap
-r-x------ 1 root security 12204 Mar 30 2016 /usr/sbin/auditldap

If the permission of "/usr/sbin/auditldap" is greater than "500", this is a finding.

Check Content Reference

M

Target Key

4012

Comments