AIX7-00-002017 - AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.

Information

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

Solution

Edit the /etc/security/audit/config file and add/modify the following values:

Note: The values for 'binsize' and 'freespace' are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values.

bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off

Restart the audit process:
# /usr/sbin/audit shutdown
# /usr/sbin/audit start

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_IBM_AIX_7-x_V3R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, Rule-ID|SV-219956r958754_rule, STIG-ID|AIX7-00-002017, STIG-Legacy|SV-109109, STIG-Legacy|V-100005, Vuln-ID|V-219956

Plugin: Unix

Control ID: 6a07eadb92eab29359bbcddea2f57412e88eb38d4ceda5606aac4dccdeb8cf4d