The system must be configured to send audit records to a remote audit server.

From AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE

Part of GEN002870

Associated with IA controls: ECTB-1

Associated with: CCI-000136

SV-38859r1_rule The system must be configured to send audit records to a remote audit server.

Vulnerability discussion

Audit records contain evidence that can be used in the investigation of compromised systems. To prevent this evidence from compromise, it must be sent to a separate system continuously. Methods for sending audit records include, but are not limited to, system audit tools used to send logs directly to another host or through the system's syslog service to another host.

Check content

Ask the SA to provide information on the remote logging of audit records. Verify the configuration described is functioning. If no method of remote logging of audit records is in place or functioning, this is a finding. Methods of remote audit record logging will be site-specific and may depend on the use of third-party tools. One possible method with AIX is the use of the audit streams facility such as: Verify "streammode = on" in /etc/security/audit/config. Check that /etc/security/audit/streamcmds sends stream logs to the syslog facility with an entry such as: /usr/sbin/auditstream | auditpr -v | /usr/bin/logger -p local7.info & Check that the /etc/syslog.conf file is configured to send local7.info to a remote server with an entry such as: local7.info @logserver

Fix text

Configure the system to send audit records to a remote system. The actual method is left to site discretion and may involve the use of third-party products. One method for performing remote audit logging involves streaming audit records to syslog and using syslog to send the records to another system. Enable stream mode by editing the /etc/security/audit/config and set streammode = on. Edit /etc/security/audit/streamcmds to send stream logs to the syslog facility with an entry such as: /usr/sbin/auditstream | auditpr -v | /usr/bin/logger -p local7.info & Edit the /etc/syslog.conf file to configure syslog to send local7.info to a remote server with an entry such as: Local7.info @logserver

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer