Title

NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization. (Cat II impact)

Discussion

If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.

Check Content

Verify NixOS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity with the following command: $ sudo grep -w admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = syslog If the "admin_space_left_action" parameter is missing, commented out, or set to blanks, this is a finding. If the "admin_space_left_action" is set to "syslog", the system logs the event, but does not generate a notification, this is a finding. If the "admin_space_left_action" is set to "exec", the system executes a designated script. If this script does not inform the SA of the event, this is a finding. If the "admin_space_left_action" is set to "email" check the value of the "action_mail_acct" parameter with the following command: $ sudo grep action_mail_acct /etc/audit/auditd.conf action_mail_acct root@localhost The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct" parameter is not set to the email address of the SA and/or ISSO, this is a finding. Note: If the email address of the SA is on a remote system, a mail package must be available.

Fix Text

Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity. If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO. If the space_left_action parameter is set to "exec", make sure the command being execute notifies the SA and ISSO. If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an email address for the SA and ISSO. Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following: admin_space_left_action = syslog For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured): environment.etc."audit/auditd.conf".text = [ '' ... admin_space_left_action = syslog ... '' ]; Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268102r1039601_rule

Vulnerability ID: V-268102

Group Title: SRG-OS-000046-GPOS-00022

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.