Check: UBTU-16-020030
Canonical Ubuntu 16.04 LTS STIG:
UBTU-16-020030
(in versions v2 r3 through v1 r3)
Title
The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. (Cat II impact)
Discussion
If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.
Check Content
Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following commands: #sudo grep space_left_action /etc/audit/auditd.conf space_left_action email If the space_left_action is set to "email" check the value of the "action_mail_acct" parameter with the following command: #sudo grep action_mail_acct parameter /etc/audit/auditd.conf action_mail_acct parameter root@localhost If the space_left_action or the action_mail_accnt parameters are set to blanks, this is a finding. If the space_left_action is set to "syslog", the system logs the event, this is not a finding. If the space_left_action is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding. The action_mail_acct parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the e-mail address of the system administrator(s) and/or ISSO, this is a finding. Note: If the email address of the system administrator is on a remote system a mail package must be available.
Fix Text
Configure the operating system to immediately notify the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec", "email", or "syslog". If the "space_left_action" parameter is set to "email" set the "action_mail_acct" parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO).
Additional Identifiers
Rule ID: SV-215036r610931_rule
Vulnerability ID: V-215036
Group Title: SRG-OS-000343-GPOS-00134
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001855 |
The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity. |
Controls
Number | Title |
---|---|
AU-5 (1) |
Audit Storage Capacity |