Title

AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full. (Cat II impact)

Discussion

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

Check Content

Verify the action the operating system takes if the disk the audit records are written to becomes full. Verify that the file "/etc/security/audit/config" includes the required settings with the following command: # cat /etc/security/audit/config bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off If any of the configurations listed above is missing or not set to the listed value or greater, this is a finding.

Fix Text

Edit the /etc/security/audit/config file and add/modify the following values: Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values. bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off Restart the audit process: # /usr/sbin/audit shutdown # /usr/sbin/audit start

Additional Identifiers

Rule ID: SV-219956r877390_rule

Vulnerability ID: V-219956

Group Title: SRG-OS-000342-GPOS-00133

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.