An error occurred:

Check: UBTU-16-020021

Canonical Ubuntu STIG: UBTU-16-020021 (in version v1 r2)

Title

The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. (Cat II impact)

Discussion

If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.

Check Content

Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to with the following command: # sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"): # df -h /var/log/audit/ 1.0G /var/log/audit If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command: # du -sh <partition> 1.0G /var Determine what the threshold is for the system to take action when 75% of the repository maximum audit record storage capacity is reached: # grep -i space_left /etc/audit/auditd.conf space_left = 250 If the value of the "space_left" keyword is not set to 25% of the total partition size, this is a finding.

Fix Text

Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to: # grep log_file /etc/audit/auditd.conf Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"): # df -h /var/log/audit/ Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25% of the partition size.

Additional Identifiers

Rule ID: SV-95673r1_rule

Vulnerability ID: V-80961

Group Title:

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-001855

The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-5 (1)

Audit Storage Capacity