Check: AIX7-00-002004
IBM AIX 7.x STIG:
AIX7-00-002004
(in versions v3 r1 through v1 r1)
Title
AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event. (Cat II impact)
Discussion
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack. Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event. In addition to logging where events occur within AIX, AIX must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services. In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event. Satisfies: SRG-OS-000040-GPOS-00018, SRG-OS-000255-GPOS-00096
Check Content
Verify the audit event "process id" is displayed: The log file can be set by the "trail" variable in /etc/security/audit/config. # grep trail /etc/security/audit/config trail = /audit/trail Note: The default log file is /audit/trail. Use the following command to display the audit events: # /usr/sbin/auditpr -i <audit log file> -helRtcp event login status time command process --------------- -------- ----------- ------------------------ ------------------ ------------- -------- PROC_Delete root OK Wed Oct 31 23:01:37 2018 audit 9437656 FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Open root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Read root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 FILE_Close root OK Wed Oct 31 23:01:37 2018 auditbin 12255562 PROC_Create root OK Wed Oct 31 23:01:44 2018 ksh 12976466 FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Open root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Read root OK Wed Oct 31 23:01:44 2018 ksh 9437658 FILE_Close root OK Wed Oct 31 23:01:44 2018 ksh 9437658 PROC_Execute root OK Wed Oct 31 23:01:44 2018 ls 9437658 FILE_Open root OK Wed Oct 31 23:01:44 2018 ls 9437658 If user id or process id is not displayed, this is a finding. More information on the command options used above: -e the audit event. -l the login name of the user. -R the audit status. -t the time the record was written. -c the command name. -p the process ID.
Fix Text
Reset the audit system with the following command: # /usr/sbin/audit shutdown Start the audit system with the following command: # /usr/sbin/audit start
Additional Identifiers
Rule ID: SV-215238r958418_rule
Vulnerability ID: V-215238
Group Title: SRG-OS-000040-GPOS-00018
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000133 |
Ensure that audit records containing information that establishes the source of the event. |
CCI-001487 |
Ensure that audit records containing information that establishes the identity of any individuals, subjects, or objects/entities associated with the event. |
Controls
Number | Title |
---|---|
AU-3 |
Content of Audit Records |