UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The system must be configured to send audit records to a remote audit server.


Overview

Finding ID Version Rule ID IA Controls Severity
V-24357 GEN002870 SV-38859r1_rule ECTB-1 Low
Description
Audit records contain evidence that can be used in the investigation of compromised systems. To prevent this evidence from compromise, it must be sent to a separate system continuously. Methods for sending audit records include, but are not limited to, system audit tools used to send logs directly to another host or through the system's syslog service to another host.
STIG Date
AIX 5.3 Security Technical Implementation Guide 2012-05-25

Details

Check Text ( C-37851r2_chk )
Ask the SA to provide information on the remote logging of audit records. Verify the configuration described is functioning. If no method of remote logging of audit records is in place or functioning, this is a finding.

Methods of remote audit record logging will be site-specific and may depend on the use of third-party tools. One possible method with AIX is the use of the audit streams facility such as:

Verify "streammode = on" in /etc/security/audit/config.

Check that /etc/security/audit/streamcmds sends stream logs to the syslog facility with an entry such as:
/usr/sbin/auditstream | auditpr -v | /usr/bin/logger -p local7.info &

Check that the /etc/syslog.conf file is configured to send local7.info to a remote server with an entry such as:
local7.info @logserver
Fix Text (F-33114r2_fix)
Configure the system to send audit records to a remote system. The actual method is left to site discretion and may involve the use of third-party products.

One method for performing remote audit logging involves streaming audit records to syslog and using syslog to send the records to another system.

Enable stream mode by editing the /etc/security/audit/config and set streammode = on.

Edit /etc/security/audit/streamcmds to send stream logs to the syslog facility with an entry such as:
/usr/sbin/auditstream | auditpr -v | /usr/bin/logger -p local7.info &

Edit the /etc/syslog.conf file to configure syslog to send local7.info to a remote server with an entry such as:
Local7.info @logserver