Detections
Analytics
AIX7-00-002004 - AIX must produce audit records containing information to establish the source and the identity of any individual or process associated with an event.
Information
Without establishing the source of the event, it is impossible to establish, correlate, and investigate the events leading up to an outage or attack.Without information that establishes the identity of the subjects (i.e., users or processes acting on behalf of users) associated with the events, security personnel cannot determine responsibility for the potentially harmful event.
In addition to logging where events occur within AIX, AIX must also generate audit records that identify sources of events. Sources of operating system events include, but are not limited to, processes and services.
In order to compile an accurate risk assessment and provide forensic analysis, it is essential for security personnel to know the source of the event.
Satisfies: SRG-OS-000040-GPOS-00018, SRG-OS-000255-GPOS-00096
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Reset the audit system with the following command:# /usr/sbin/audit shutdown
Start the audit system with the following command:
# /usr/sbin/audit start
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_AIX_7-x_V3R1_STIG.zip
Item Details
Audit Name: DISA STIG AIX 7.x v3r1
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-3, CAT|II, CCI|CCI-000133, CCI|CCI-001487, Rule-ID|SV-215238r958418_rule, STIG-ID|AIX7-00-002004, STIG-Legacy|SV-101351, STIG-Legacy|V-91251, Vuln-ID|V-215238
Plugin: Unix
Control ID: aa65e1b12206aa83cc0fcf3cae2f3aa14b26fb1595e7f8fefe46466a71917978