AIX7-00-002004 - AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.

Information

Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.

Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
In addition to logging where events occur within AIX, AIX must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services.

In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event.

Satisfies: SRG-OS-000040-GPOS-00018, SRG-OS-000255-GPOS-00096

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_AIX_7-x_V2R9_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, CAT|II, CCI|CCI-000133, CCI|CCI-001487, Rule-ID|SV-215238r508663_rule, STIG-ID|AIX7-00-002004, STIG-Legacy|SV-101351, STIG-Legacy|V-91251, Vuln-ID|V-215238

Plugin: Unix

Control ID: 85f7f6adc2d7f3cfc4f2ef8c828aaf9b20a51990eb43059eb3e6f46018210641