GEN002870 - The system must be configured to send audit records to a remote audit server - '/etc/security/audit/config streammode=on'

Information

Audit records contain evidence that can be used in the investigation of compromised systems. To prevent this evidence from compromise, it must be sent to a separate system continuously. Methods for sending audit records include, but are not limited to, system audit tools used to send logs directly to another host or through the system's syslog service to another host.

Solution

Configure the system to send audit records to a remote system. The actual method is left to site discretion and may involve the use of third-party products.

One method for performing remote audit logging involves streaming audit records to syslog and using syslog to send the records to another system.

Enable stream mode by editing the /etc/security/audit/config and set streammode = on.

Edit /etc/security/audit/streamcmds to send stream logs to the syslog facility with an entry such as:
/usr/sbin/auditstream | auditpr -v | /usr/bin/logger -p local7.info &

Edit the /etc/syslog.conf file to configure syslog to send local7.info to a remote server with an entry such as:
Local7.info @logserver

See Also

https://iasecontent.disa.mil/stigs/zip/U_AIX_6-1_V1R14_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3(2), CAT|III, CCI|CCI-000136, Group-ID|V-24357, Rule-ID|SV-38859r1_rule, STIG-ID|GEN002870, Vuln-ID|V-24357

Plugin: Unix

Control ID: a177f5f7e0c6134d4eb1519ae546dba2cfcbecba0714c19d76ec18601fe0ce6a