The system must use a separate file system for the system audit data path..

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-23738	GEN003623	SV-35054r1_rule	ECSC-1	Low

Description
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.

STIG	Date
HP-UX 11.23 Security Technical Implementation Guide	2015-12-02

Details

Check Text ( C-34924r3_chk )
Determine if the /var/.audit path exists. # ls -alLd /var /var/.audit If the above paths do not exist, this is not a finding. If the above /var/.audit path exists, determine if /var/.audit is a separate filesystem. # cat /etc/fstab \| tr '\011' ' ' \| tr -s ' ' \| sed -e 's/^[ \t]*//' \| \ grep -v "^#" \| cut -f 2,2 -d " " \| grep "^/var/.audit" \| \ grep -v "/var/.audit/" If the above command returns nothing, /var/.audit is not on a separate filesystem and this is a finding.

Check Text ( C-34924r3_chk )

Determine if the /var/.audit path exists.

# ls -alLd /var /var/.audit

If the above paths do not exist, this is not a finding.

If the above /var/.audit path exists, determine if /var/.audit is a separate filesystem.

# cat /etc/fstab | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | \ grep -v "^#" | cut -f 2,2 -d " " | grep "^/var/.audit" | \ grep -v "/var/.audit/"

If the above command returns nothing, /var/.audit is not on a separate filesystem and this is a finding.

Fix Text (F-30229r2_fix)
Migrate the audit log path onto a separate filesystem. The following assumes that /var exists and that the new audit log mount point will be /var/.audit. Verify if auditing is running: # ps -ef \| grep audomon \| grep -v grep If auditing is running, issue the stop command: # /sbin/init.d/auditing stop Use SAM/SMH to: - Create a new Logical Volume (size to be determined based on local site requirements). - Create a VxFS file system on the new logical volume, paying special attention to site requirements such as Access Permissions, Allocation Policies, Mirroring considerations, large/no-large files and mount options such as suid/nosuid and ro/rw. Verify the /etc/fstab /var/.audit entry # more /etc/fstab Verify the current mounts: # mount Mount /var/.audit if not yet mounted: # mount -a Re-start the auditing subsystem: # /sbin/init.d/auditing start Verify that auditing is now running: # ps -ef \| grep audomon \| grep -v grep

Fix Text (F-30229r2_fix)

Migrate the audit log path onto a separate filesystem. The following assumes that /var exists and that the new audit log mount point will be
/var/.audit.

Verify if auditing is running:
# ps -ef | grep audomon | grep -v grep

If auditing is running, issue the stop command:
# /sbin/init.d/auditing stop

Use SAM/SMH to:
- Create a new Logical Volume (size to be determined based on local site requirements).
- Create a VxFS file system on the new logical volume, paying special attention to site requirements such as Access Permissions, Allocation Policies, Mirroring considerations, large/no-large files and mount options such
as suid/nosuid and ro/rw.

Verify the /etc/fstab /var/.audit entry
# more /etc/fstab

Verify the current mounts:
# mount

Mount /var/.audit if not yet mounted:
# mount -a

Re-start the auditing subsystem:
# /sbin/init.d/auditing start

Verify that auditing is now running:
# ps -ef | grep audomon | grep -v grep