UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must produce audit records containing information to establish what the date, time, and type of events that occurred.


Overview

Finding ID Version Rule ID IA Controls Severity
V-215236 AIX7-00-002001 SV-215236r508663_rule Medium
Description
Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in AIX audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2023-08-23

Details

Check Text ( C-16434r294159_chk )
Check if audit is turned on by running the following command:

# audit query | grep -i auditing
auditing on

The command should yield the following output:
auditing on

If the command shows "auditing off", this is a finding.

The log file can be set by the "trail" variable in /etc/security/audit/config.
# grep trail /etc/security/audit/config
trail = /audit/trail

Note: The default log file is "/audit/trail".

Use the following command to display the audit events:

# /usr/sbin/auditpr -i -helRtcp

event login status time command process
--------------- -------- ----------- ------------------------ ------------------------------- --------
PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit 9437656
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562
PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh 12976466
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh 9437658
FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658
PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls 9437658
FILE_Open root OK Wed Oct 31 23:01:44 2018 ls 9437658

If event type is not displayed, this is a finding.

More information on the command options used above:
-e the audit event.
-l the login name of the user.
-R the audit status.
-t the time the record was written.
-c the command name.
-p the process ID.
Fix Text (F-16432r294160_fix)
Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start