Detections
Analytics

7.1.1 Ensure /audit filesystem has been created and configured

Information

This recommendation provides guidance for preparing an AIX system to operate with AUDIT active.

AIX Audit has been available as part of the kernel since 1995. The historical setup has all of it's files in the

root

partition. This presents a risk that / (/dev/hd4) may be (nearly) full and impact system availability. Further, while there is a separate user group defined ( audit ) the default configuration requires that an

audit admin

must be in two groups: audit and security Better is to remove the requirement of the group

security

.

Solution

Configure AIX auditing in-line with the High Level AIX Security Expert policy.

Create a /audit filesystem, at least 100 MB in size:

mklv -y <LV name> -t jfs2 -u 1 -c 1 rootvg 1 hdisk0
crfs -v jfs2 -d auditlv -m /audit -A yes -t no
mount /audit

Reflect the following configuration in the /etc/security/audit/config file:

vi /etc/security/audit/config

Add in:

start:
 binmode = on
 streammode = off
bin:
 trail = /audit/trail
 bin1 = /audit/bin1
 bin2 = /audit/bin2
 binsize = 10240
 cmds = /etc/security/audit/bincmds

Add the auditing entries for root and all other users below the pre-defined audit classes:

users:
 root = general,SRC,mail,cron,tcpip,ipsec,lvm
 <user 1> = general,SRC,cron,tcpip
 <user 2> = general,SRC,cron,tcpip
 etc.

Update the /usr/lib/security/mkuser.default auditclasses entry to ensure that auditing is set up for any newly created users:

chsec -f /usr/lib/security/mkuser.default -s user -a
auditclasses=general,SRC,cron,tcpip

A cron job is implemented to monitor the free space in /audit running hourly, to ensure that /audit does not fill up. If /audit is greater than 90% used, /audit/trail is moved to /audit/trailOneLevelBack :

crontab -e

Add in:

0 * * * * /etc/security/aixpert/bin/cronaudit

NOTE: The implementation of a script to suit internal security policy is recommended to further enhance the log rotation process.

Add the audit startup command into /etc/inittab :

mkitab "audit:2:boot:audit start > /dev/console 2>&amp;1 # Start audit"

Impact:

This recommendation creates an additional logical volume ( hd12audit ) and filesystem ( /audit ) if the filesystem /audit does not already exist.

The recommended minimum size of /audit is 10G byte, but this is not scored. This is just a starting point for new systems. Usage will determine whether additional space is needed.

While an additional volume group could be created specifically for AUDIT this recommendation uses the default volume group rootvg to ensure that the volume group is always available when the system is operational.

Further, this recommendation moves the

audit

configuration to be parallel to /etc/security rather than a subdirectory. A symbolic link points to the new location so that the AIX audit utilities (used as root) find the files via the expected pathname.

See Also

https://workbench.cisecurity.org/benchmarks/10385

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-11, 800-53|AU-12c.

Plugin: Unix

Control ID: c314efed787da6a2bf3e5e81c5d5d74f888077b9941505e13ccf55ab5c20e351