AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.

An XCCDF Rule

Description

<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-219956r877390_rule
Severity: Medium
References: CCI-001851
Updated: 8 months ago

Edit the /etc/security/audit/config file and add/modify the following values:

Note: The values for "binsize" and "freespace" are the minimum required values. These values can be increased to meet organizationally defined values that exceed the listed values.

bin:
trail = /audit/trailbin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 25000
cmds = /etc/security/audit/bincmds
freespace = 65536
backuppath = /audit
backupsize = 0
bincompact = off

Restart the audit process:
# /usr/sbin/audit shutdown
# /usr/sbin/audit start

AIX must be configured so that the audit system takes appropriate action when the audit storage volume is full.

Description

Remediation - Manual Procedure