AIX Security Expert Audit Policy Recommendations group
AIX® Security Expert provides specific audit policy settings.
- The prerequisite rule to audit must check to see that audit is not currently running. If auditing is already running, then audit has been previously configured and AIX Security Expert must not alter the existing audit configuration and procedure.
- There must be at least 100 megabytes of free space in a volume group that is automatically varied on or the /audit filesystem must currently exist with a size of 100 megabytes or more.
- The /audit JFS file system must be created and mounted before starting audit. The file system must have a size of at least 100 megabytes.
- Audit must be run in bin mode. The /etc/security/audit/config file must be configured as follows:
start: binmode = on streammode = off bin: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 10240 cmds = /etc/security/audit/bincmds . . etc
- Add the auditing entries for root and normal user for High, Medium, and Low Level Security.
- Audit must be enabled on reboot for High, Medium, and Low Level Security.
- New users created must have audit enabled for High, Medium, and
Low Level Security. This can be done by adding an
auditclasses
entry to the user stanza in the /usr/lib/security/mkuser.default file. - A cronjob must be added to avoid filling up the /audit filesystem.
The following tables lists the values set by AIX Security Expert for Enable binaudit:
High Level Security | Medium Level Security | Low Level Security | AIX Standard Settings |
---|---|---|---|
Add the following auditing entries for root
and normal user: Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing
for newly created users:
|
Add the following auditing entries for root
and normal user: Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing
for newly created users:
|
Add the following auditing entries for root
and normal user: Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing
for newly created users:
|
The /etc/security/audit/config file contains
the following entry: Audit class login is defined as follows:
Note: The standard settings feature disables
auditing.
|
Add the following auditing entries for root
and normal user:
Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users:
|
Add the following auditing entries for root
and normal user:
Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users:
|
Add the following auditing entries for root
and normal user:
Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users: auditclasses=general |
Yes |
The cronjob must run every hour and check the size of /audit. If the Audit Freespace Equation is true then the Audit Trail Copy Actions must be performed. The Audit Freespace Equation is defined to ensure that the /audit filesystem is not full; if the /audit filesystem is full, the Audit Trail Copy Actions are done (disabling auditing, taking backup of /audit/trail to /audit/trailOneLevelBack, and re-enabling auditing).