Check: OSX8-00-00305
Apple OSX 10.8 STIG:
OSX8-00-00305
(in version v1 r2)
Title
The operating system must provide a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. (Cat II impact)
Discussion
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Audit processing failures include, software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. If audit log capacity were to be exceeded then events that subsequently occur will not be recorded.
Check Content
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space To view the current setting, run the following command: sudo grep minfree /etc/security/audit_control | awk -F: '{ print $2 }' If this returns no results, or an incorrect setting for the organization, this is a finding.
Fix Text
To set the value for "minfree" in the "audit_control" configuration file, run the following command: sudo sed -i.bak 's/.*minfree.*/minfree:10/' /etc/security/audit_control; sudo audit -s
Additional Identifiers
Rule ID: SV-65709r1_rule
Vulnerability ID: V-51499
Group Title:
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000143 |
The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. |
Controls
Number | Title |
---|---|
No controls are assigned to this check |