Title

AIX must start audit at boot. (Cat II impact)

Discussion

If auditing is enabled late in the start-up process, the actions of some start-up processes may not be audited. Some audit systems also maintain state information only available if auditing is enabled before a given process is created.

Check Content

Check if /etc/rc contains the following line: /usr/sbin/audit start # grep "audit start" /etc/rc /usr/sbin/audit start If a result is not returned, this is a finding.

Fix Text

To start auditing at system startup, add the following line to the /etc/rc file, just prior to the line reading dspmsg rc.cat 5 'Multi-user initialization completed': /usr/sbin/audit start Symmetrically add the '/usr/sbin/audit shutdown' command to /etc/rc.shutdown.

Additional Identifiers

Rule ID: SV-215247r508663_rule

Vulnerability ID: V-215247

Group Title: SRG-OS-000254-GPOS-00095

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.