AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-219956 | SRG-OS-000342-GPOS-00133 | AIX7-00-002017 | SV-219956r958754_rule | 2026-02-06 | 3 |
Description
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
ℹ️ Check
Verify the action the operating system takes if the disk the audit records are written to becomes full.
Verify that the file "/etc/security/audit/config" includes the required settings with the following command:
# cat /etc/security/audit/config
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off
If any of the configurations listed above is missing or not set to the listed value or greater, this is a finding.
✔️ Fix
Edit the /etc/security/audit/config file and add/modify the following values:
Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values.
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off
Restart the audit process:
# /usr/sbin/audit shutdown
# /usr/sbin/audit start