Check: OSX8-00-00300
Apple OSX 10.8 STIG:
OSX8-00-00300
(in version v1 r2)
Title
The operating system must configure auditing to reduce the likelihood of storage capacity being exceeded. (Cat II impact)
Discussion
Operating system auditing capability is critical for accurate forensic analysis. Audit record content that may be necessary to satisfy the requirement of this control includes, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, file names involved, and access control or flow control rules invoked. Care must be taken to evaluate that the audit records being produced do not exceed the storage capacity.
Check Content
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep expire-after /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.
Fix Text
To set the auditing daemon to expire logs after "10 GB" of space in the audit_control configuration file, run the following command: sudo sed -i.bak 's/.*expire-after.*/expire-after:10G/' /etc/security/audit_control; sudo audit -s
Additional Identifiers
Rule ID: SV-65705r1_rule
Vulnerability ID: V-51495
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000138 |
The organization configures auditing to reduce the likelihood of storage capacity being exceeded. |
Controls
Number | Title |
---|---|
No controls are assigned to this check |