Title

The Central Log Server must be configured to send an immediate alert to the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated log record storage volume reaches 75 percent of the repository maximum log record storage capacity. (Cat III impact)

Discussion

If security personnel are not notified immediately upon storage volume utilization reaching 75 percent, they are unable to plan for storage capacity expansion. Although this may be part of the operating system function, for the enterprise events management system, this is most often a function managed through the application since it is a critical function and requires the use of a large amount of external storage.

Check Content

Note: This is not applicable (NA) if an external application or operating system manages this function. Examine the configuration. Verify the system is configured to send an immediate warning to the SA and ISSO (at a minimum) when allocated log record storage volume reaches 75 percent of the repository's maximum log record storage capacity. If the Central Log Server is not configured to send an immediate alert to the SA and ISSO (at a minimum) when allocated log record storage volume reaches 75 percent of repository maximum log record storage capacity, this is a finding.

Fix Text

Configure the Central Log Server to send an immediate alert to the SA, ISSO, and other authorized personnel when allocated log record storage volume reaches 75 percent of repository maximum log record storage capacity.

Additional Identifiers

Rule ID: SV-206492r855299_rule

Vulnerability ID: V-206492

Group Title: SRG-APP-000359

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.