UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.


Overview

Finding ID Version Rule ID IA Controls Severity
V-219956 AIX7-00-002017 SV-219956r877390_rule Medium
Description
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
STIG Date
IBM AIX 7.x Security Technical Implementation Guide 2023-08-23

Details

Check Text ( C-21667r853495_chk )
Verify the action the operating system takes if the disk the audit records are written to becomes full.

Verify that the file "/etc/security/audit/config" includes the required settings with the following command:

# cat /etc/security/audit/config

bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off

If any of the configurations listed above is missing or not set to the listed value or greater, this is a finding.
Fix Text (F-21666r853496_fix)
Edit the /etc/security/audit/config file and add/modify the following values:

Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values.

bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off

Restart the audit process:
# /usr/sbin/audit shutdown
# /usr/sbin/audit start