Title

AIX must allocate audit record storage capacity to store at least one weeks worth of audit records, when audit records are not immediately sent to a central audit record storage facility. (Cat II impact)

Discussion

In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of AIX.

Check Content

Check the file system size where the log file resides is greater than the organizationally defined size of audit logs for one week (1GB). Find out where the audit log resides: # grep trail /etc/security/audit/config trail = /audit/trail Find out the available space in the file system hosting the audit logs. # df /audit/trail Filesystem 512-blocks Free %Used Iused %Iused Mounted on /dev/hd4 1966080 1792872 9% 3913 2% / If the "512-blocks" multiplied by "Free" is less than the required size for the audit logs, this is a finding.

Fix Text

Increase the size of the file system hosting the audit logs (by 1GB). # chfs -a size=+1G <root of file system for audit logs>

Additional Identifiers

Rule ID: SV-215253r877391_rule

Vulnerability ID: V-215253

Group Title: SRG-OS-000341-GPOS-00132

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.