The system must be configured to send audit records to a remote audit server.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-24357 | GEN002870 | SV-38859r1_rule | ECTB-1 | Low |
| Description |
|---|
| Audit records contain evidence that can be used in the investigation of compromised systems. To prevent this evidence from compromise, it must be sent to a separate system continuously. Methods for sending audit records include, but are not limited to, system audit tools used to send logs directly to another host or through the system's syslog service to another host. |
| STIG | Date |
|---|---|
| Draft AIX Security Technical Implementation Guide | 2011-08-17 |
Details
| Check Text ( C-37851r1_chk ) |
|---|
| Consult vendor documentation to determine the settings required for the audit system for sending audit records to a remote system or via syslog. Remote audit logging can be done with the syslog (logger) facility or a third party tool. If the system is not configured to send audit logs to a remote system, this is a finding. |
| Fix Text (F-33114r1_fix) |
|---|
| Configure the system to send audit records to a remote system. Enable stream mode by editing the /etc/security/audit/config and set streammode = on. Edit /etc/security/audit/streamcmds to send stream logs to the syslog facility with an entry such as: /usr/sbin/auditstream | auditpr –v | /usr/bin/logger –p local7.info & Edit the /etc/syslog.conf file to configure syslog to send local7.info to a remote server with an entry such as: Local7.info @logserver |