AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-219956 | SRG-OS-000342-GPOS-00133 | AIX7-00-002017 | SV-219956r958754_rule | 2024-08-16 | 3 |
| Description |
|---|
| Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
| ℹ️ Check |
|---|
| Verify the action the operating system takes if the disk the audit records are written to becomes full. Verify that the file "/etc/security/audit/config" includes the required settings with the following command: # cat /etc/security/audit/config bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off If any of the configurations listed above is missing or not set to the listed value or greater, this is a finding. |
| ✔️ Fix |
|---|
| Edit the /etc/security/audit/config file and add/modify the following values: Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values. bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 25000 cmds = /etc/security/audit/bincmds freespace = 65536 backuppath = /audit backupsize = 0 bincompact = off Restart the audit process: # /usr/sbin/audit shutdown # /usr/sbin/audit start |