Check: AIX7-00-002011
IBM AIX 7.x STIG:
AIX7-00-002011
(in versions v2 r9 through v1 r1)
Title
AIX must provide the function to filter audit records for events of interest based upon all audit fields within audit records, support on-demand reporting requirements, and an audit reduction function that supports on-demand audit review and analysis and after-the-fact investigations of security incidents. (Cat II impact)
Discussion
The ability to specify the event criteria that are of interest provides the individuals reviewing the logs with the ability to quickly isolate and identify these events without having to review entries that are of little or no consequence to the investigation. Without this capability, forensic investigations are impeded. Events of interest can be identified by the content of specific audit record fields, including, for example, identities of individuals, event types, event locations, event times, event dates, system resources involved, IP addresses involved, or information objects accessed. Organizations may define audit event criteria to any degree of granularity required, for example, locations selectable by general networking location (e.g., by network or subnetwork) or selectable by specific information system component. The ability to generate on-demand reports, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports as needed to better handle larger-scale or more complex security incidents. The ability to perform on-demand audit review and analysis, including after the audit data has been subjected to audit reduction, greatly facilitates the organization's ability to generate incident reports, as needed, to better handle larger-scale or more complex security incidents. If the audit reduction capability does not support after-the-fact investigations, it is difficult to establish, correlate, and investigate the events leading up to an outage or attack, or identify those responses for one. This capability is also required to comply with applicable Federal laws and DoD policies. Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. The report generation capability provided by the application must support on-demand (i.e., customizable, ad hoc, and as-needed) reports. This requires operating systems to provide the capability to customize audit record reports based on all available criteria. Satisfies: SRG-OS-000054-GPOS-00025, SRG-OS-000122-GPOS-00063, SRG-OS-000348-GPOS-00136, SRG-OS-000349-GPOS-00137
Check Content
The application file "/usr/sbin/auditselect" provides the audit filtering function. Check if it exists: # ls -l /usr/sbin/auditselect -r-sr-x--- 1 root audit 36240 Jul 4 1776 /usr/sbin/auditselect If the "/usr/sbin/auditselect" file does not exist, this is a finding
Fix Text
Re-install the "bos.rte.security" fileset from the base media. Use "installp" command (assume cd is mounted). # installp -aXYqg -d /dev/cd0 bos.rte.security
Additional Identifiers
Rule ID: SV-215242r853461_rule
Vulnerability ID: V-215242
Group Title: SRG-OS-000054-GPOS-00025
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000158 |
The information system provides the capability to process audit records for events of interest based on organization-defined audit fields within audit records. |
CCI-001875 |
The information system provides an audit reduction capability that supports on-demand audit review and analysis. |
CCI-001876 |
The information system provides an audit reduction capability that supports on-demand reporting requirements. |
CCI-001877 |
The information system provides an audit reduction capability that supports after-the-fact investigations of security incidents. |