AIX Security Expert Audit Policy Recommendations group

Edit online

AIX® Security Expert provides specific audit policy settings.

As with other security settings, bin auditing also needs the analysis (prerequisite) rules to be satisfied before applying any audit rules for High, Medium, or Low Level Security. The following analysis rules need to be satisfied for bin auditing:
  1. The prerequisite rule to audit must check to see that audit is not currently running. If auditing is already running, then audit has been previously configured and AIX Security Expert must not alter the existing audit configuration and procedure.
  2. There must be at least 100 megabytes of free space in a volume group that is automatically varied on or the /audit filesystem must currently exist with a size of 100 megabytes or more.
If the above prerequisite conditions are met, and the audit options is selected with in AIX Security Expert, then AIX Security Expert will configure and enable auditing on the system in the following manner. The AIX Security Expert Enable binaudit action button sets audit policy. Auditing must be enabled on the system.
  1. The /audit JFS file system must be created and mounted before starting audit. The file system must have a size of at least 100 megabytes.
  2. Audit must be run in bin mode. The /etc/security/audit/config file must be configured as follows:
    start:
            binmode = on
            streammode = off
bin:
            trail = /audit/trail
            bin1 = /audit/bin1
            bin2 = /audit/bin2
            binsize = 10240
            cmds 
= /etc/security/audit/bincmds
     .
     .
     etc
  3. Add the auditing entries for root and normal user for High, Medium, and Low Level Security.
  4. Audit must be enabled on reboot for High, Medium, and Low Level Security.
  5. New users created must have audit enabled for High, Medium, and Low Level Security. This can be done by adding an auditclasses entry to the user stanza in the /usr/lib/security/mkuser.default file.
  6. A cronjob must be added to avoid filling up the /audit filesystem.
The audit undo rule must shut down audit and remove its enablement on reboot.

The following tables lists the values set by AIX Security Expert for Enable binaudit:

Table 1. Values set by AIX Security Expert for Enable binaudit
High Level Security Medium Level Security Low Level Security AIX Standard Settings
Add the following auditing entries for root and normal user: 
Root:
            General
            Src
            Mail
            Cron
            Tcpip
            Ipsec
            Lvm
User:
            General
            Src
            Cron
            Tcpip
Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users:
auditclasses=general,SRC,\
cron,tcpip
Add the following auditing entries for root and normal user:
Root:
            General
            Src
            Tcpip
User:
            General
            Tcpip
Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users: 
auditclasses=general,
	tcpip
Add the following auditing entries for root and normal user:
Root:
            General
            Tcpip
User:
            General
Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users:
auditclasses=general
The /etc/security/audit/config file contains the following entry:
default=login
Audit class login is defined as follows:
login = USER_SU,
USER_Login,
USER_Logout,
TERM_Logout,
USER_Exit
Note: The standard settings feature disables auditing.
Add the following auditing entries for root and normal user:
root:
general
src
mail
cron
tcpip
ipsec
lvm
aixpert
User:
general
src
cron
tcpip

Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users:

auditclasses=general,SRC,
  cron,tcpip
 Add the following auditing entries for root and normal user:
root:
general
src
tcpip
aixpert
User:
general
tcpip

Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users:

 auditclasses=general, 	
   tcpip
 Add the following auditing entries for root and normal user:
root:
general
tcpip
aixpert
User:
general

Add the following entry in the user stanza of the /usr/lib/security/mkuser.default file for enabling auditing for newly created users:

auditclasses=general		 Yes

The cronjob must run every hour and check the size of /audit. If the Audit Freespace Equation is true then the Audit Trail Copy Actions must be performed. The Audit Freespace Equation is defined to ensure that the /audit filesystem is not full; if the /audit filesystem is full, the Audit Trail Copy Actions are done (disabling auditing, taking backup of /audit/trail to /audit/trailOneLevelBack, and re-enabling auditing).