UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.


Overview

Finding ID Version Rule ID IA Controls Severity
V-91251 AIX7-00-002004 SV-101351r1_rule Medium
Description
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. In addition to logging where events occur within AIX, AIX must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event. Satisfies: SRG-OS-000040-GPOS-00018, SRG-OS-000255-GPOS-00096
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2019-04-29

Details

Check Text ( C-92251r1_chk )
Verify the audit event "process id" is displayed:

The log file can be set by the "trail" variable in /etc/security/audit/config.

# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is /audit/trail.

Use the following command to display the audit events:

# /usr/sbin/auditpr -i -helRtcp

event login status time command
process
--------------- -------- ----------- ------------------------ ------------------
------------- --------
PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit
9437656
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin
12255562
PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh
12976466
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh
9437658
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh
9437658
PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls
9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ls
9437658

If user id or process id is not displayed, this is a finding.

More information on the command options used above:
-e the audit event.
-l the login name of the user.
-R the audit status.
-t the time the record was written.
-c the command name.
-p the process ID.
Fix Text (F-97451r1_fix)
Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start