Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-23738 | GEN003623 | SV-35054r1_rule | ECSC-1 | Low |
Description |
---|
The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing. |
STIG | Date |
---|---|
HP-UX 11.31 Security Technical Implementation Guide | 2017-12-08 |
Check Text ( C-34924r3_chk ) |
---|
Determine if the /var/.audit path exists. # ls -alLd /var /var/.audit If the above paths do not exist, this is not a finding. If the above /var/.audit path exists, determine if /var/.audit is a separate filesystem. # cat /etc/fstab | tr '\011' ' ' | tr -s ' ' | sed -e 's/^[ \t]*//' | \ grep -v "^#" | cut -f 2,2 -d " " | grep "^/var/.audit" | \ grep -v "/var/.audit/" If the above command returns nothing, /var/.audit is not on a separate filesystem and this is a finding. |
Fix Text (F-30229r2_fix) |
---|
Migrate the audit log path onto a separate filesystem. The following assumes that /var exists and that the new audit log mount point will be /var/.audit. Verify if auditing is running: # ps -ef | grep audomon | grep -v grep If auditing is running, issue the stop command: # /sbin/init.d/auditing stop Use SAM/SMH to: - Create a new Logical Volume (size to be determined based on local site requirements). - Create a VxFS file system on the new logical volume, paying special attention to site requirements such as Access Permissions, Allocation Policies, Mirroring considerations, large/no-large files and mount options such as suid/nosuid and ro/rw. Verify the /etc/fstab /var/.audit entry # more /etc/fstab Verify the current mounts: # mount Mount /var/.audit if not yet mounted: # mount -a Re-start the auditing subsystem: # /sbin/init.d/auditing start Verify that auditing is now running: # ps -ef | grep audomon | grep -v grep |