Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-219956 | AIX7-00-002017 | SV-219956r508663_rule | Medium |
Description |
---|
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
STIG | Date |
---|---|
IBM AIX 7.x Security Technical Implementation Guide | 2021-06-16 |
Check Text ( C-21667r364827_chk ) |
---|
Verify the action the operating system takes if the disk the audit records are written to becomes full. Verify that the file "/etc/security/audit/config" includes the required settings with the following command: # cat /etc/security/audit/config bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off If any of the configurations listed above is missing or not set to the listed value or greater, this is a finding. |
Fix Text (F-21666r364828_fix) |
---|
Edit the /etc/security/audit/config file and add/modify the following values: Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values. bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off Restart the audit process: # /usr/sbin/audit shutdown # /usr/sbin/audit start |