Title

The remote audit system must take appropriate action when audit storage is full. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Check Content

Verify the action that the remote audit system takes when the storage volume becomes full. Check the action that the remote audit system takes when the storage volume becomes full with the following command: # sudo grep disk_full /etc/audisp/audisp-remote.conf disk_full_action = single If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Fix Text

Configure the remote audit system to take an appropriate action when the audit storage is full. Add, edit or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" like the below example: disk_full_action = single

Additional Identifiers

Rule ID: SV-90311r2_rule

Vulnerability ID: V-75631

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.