AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-219956 | AIX7-00-002017 | SV-219956r958754_rule | CCI-001851 | medium |
| Description | ||||
| Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. | ||||
| STIG | Date | |||
| IBM AIX 7.x Security Technical Implementation Guide | 2024-08-16 | |||
Details
Check Text (C-219956r958754_chk)
Verify the action the operating system takes if the disk the audit records are written to becomes full.
Verify that the file "/etc/security/audit/config" includes the required settings with the following command:
# cat /etc/security/audit/config
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off
If any of the configurations listed above is missing or not set to the listed value or greater, this is a finding.
Fix Text (F-21666r853496_fix)
Edit the /etc/security/audit/config file and add/modify the following values:
Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values.
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off
Restart the audit process:
# /usr/sbin/audit shutdown
# /usr/sbin/audit start