AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.

An XCCDF Rule

Details
Profiles

Description

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

ID: SV-219956r958754_rule
Version: AIX7-00-002017
Severity: Medium
References: CCI-001851
Updated: 24 days ago

Remediation Templates

Edit the /etc/security/audit/config file and add/modify the following values:

Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values.

bin:
trail = /audit/trailbin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off

Restart the audit process:
# /usr/sbin/audit shutdown
# /usr/sbin/audit start

AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.

Description

Remediation Templates

A Manual Procedure