Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-815 | GEN002740 | SV-27294r1_rule | ECAR-1 ECAR-2 ECAR-3 | Medium |
Description |
---|
If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise. |
STIG | Date |
---|---|
AIX 5.3 Security Technical Implementation Guide | 2012-05-25 |
Check Text ( C-37843r1_chk ) |
---|
Check the system audit configuration to determine if failed attempts to access files and programs are audited. # more /etc/security/audit/events If auditing of the FILE_Unlink or FS_Rmdir events is not configured, this is a finding. If no results are returned, this is a finding. Check the FILE_Unlink and FS_Rmdir audit event(s) are defined in the audit classes' stanza classes: of the /etc/security/audit/config file. #more /etc/security/audit/config Make note of the audit class(es) that the File_Unlink and FS_Rmdir events are associated with. If the FILE_Unlink and FS_Rmdir events are not associated with any audit classes in the classes: stanza this is a finding. Verify the audit class is associated with the default user and all other user ids listed in the users: stanza of the /etc/security/audit/config file. #more /etc/security/audit/config If the class(es) that the FILE_Unlink and FS_Rmdir events are not associated with the default user and all the system users in the users: stanza, this is a finding. |
Fix Text (F-33106r1_fix) |
---|
Edit /etc/security/audit/events and add the FILE_Unlink or FS_Rmdir events to the list of audited events. Edit /etc/security/audit/config and add the FILE_Unlink and FS_Rmdir audit events to an audit class in the classes: stanza. Edit the /etc/security/audit/config and assign the audit classes containing the FILE_Unlink and FS_Rmdir events to the all users listed in the users: stanza. |