This recommendation verifies the access control settings for the default locations of AUDIT configuration and output files. The default location for the AUDIT subsystem configuration files are in /etc/security/audit The default location for output produced by the audit subsystem is the firectory /audit Access control must prevent unauthorized access. NOTE: If your configuration does not store output in /audit ensure this directory is configured to prevent unauthorized access.
Solution
Ensure correct ownership and permissions are in place for /etc/security/audit and /audit #!/usr/bin/ksh -e # audit_subsys:4.8.1.4 # Provided to CIS by AIXTools # Copyright AIXTools, 2022 for AUDITDIR in /etc/security/audit /audit; do find ${AUDITDIR} | grep -v 'lost+found' | xargs chown root:audit find ${AUDITDIR} -type d | grep -v 'lost+found' | xargs chmod u=rwx,g=rxs,o= find ${AUDITDIR} ! -type d | grep -v 'lost+found' | xargs chmod -R u=rw,g=r,o= done