STIGhubSTIGhub
STIGsRMF ControlsCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • RMF Controls
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 1 hour ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215236

CAT II (Medium)

AIX must produce audit records containing information to establish what the date, time, and type of events that occurred.

Rule ID

SV-215236r958412_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000130CCI-000131

Discussion

Without establishing what type of events occurred, it would be difficult to establish, correlate, and investigate the events leading up to an outage or attack. Audit record content that may be necessary to satisfy this requirement includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked. Associating event types with detected events in AIX audit logs provides a means of investigating an attack; recognizing resource utilization or capacity thresholds; or identifying an improperly configured operating system. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000038-GPOS-00016

Check Content

Check if audit is turned on by running the following command:

# audit query | grep -i auditing
auditing on

The command should yield the following output:
auditing on

If the command shows "auditing off", this is a finding.

The log file can be set by the "trail" variable in /etc/security/audit/config.
# grep trail /etc/security/audit/config
        trail = /audit/trail

Note: The default log file is "/audit/trail".

Use the following command to display the audit events:

# /usr/sbin/auditpr -i <audit log file> -helRtcp 

event                     login    status      time                                          command      process  
--------------- -------- ----------- ------------------------ ------------------------------- -------- 
PROC_Delete     root     OK           Wed Oct 31 23:01:37 2018    audit             9437656  
FILE_Close           root     OK           Wed Oct 31 23:01:37 2018    auditbin      12255562 
FILE_Open          root      OK           Wed Oct 31 23:01:37 2018    auditbin      12255562 
FILE_Read           root      OK           Wed Oct 31 23:01:37 2018    auditbin      12255562 
FILE_Close          root      OK           Wed Oct 31 23:01:37 2018    auditbin      12255562 
PROC_Create    root      OK           Wed Oct 31 23:01:44 2018     ksh                12976466 
FILE_Close          root     OK           Wed Oct 31 23:01:44 2018      ksh                9437658  
FILE_Open          root     OK           Wed Oct 31 23:01:44 2018     ksh                 9437658  
FILE_Read           root     OK           Wed Oct 31 23:01:44 2018     ksh                9437658  
FILE_Close          root     OK           Wed Oct 31 23:01:44 2018     ksh                9437658  
PROC_Execute  root     OK           Wed Oct 31 23:01:44 2018    ls                    9437658  
FILE_Open          root     OK           Wed Oct 31 23:01:44 2018    ls                    9437658  

If event type is not displayed, this is a finding. 

More information on the command options used above: 
            -e the audit event.
            -l the login name of the user.
            -R the audit status.
            -t the time the record was written.
            -c the command name.
            -p the process ID.

Fix Text

Reset the audit system with the following command:
# /usr/sbin/audit shutdown

Start the audit system with the following command:
# /usr/sbin/audit start