Check: FreeBSD-10-001340
FreeBSD 10:
FreeBSD-10-001340
(in version v1 r1)
Title
The operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. (Cat II impact)
Discussion
If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion. Satisfies: SRG-OS-000343-GPOS-00134
Check Content
Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. If it does not, this is a finding. # cat /etc/security/audit_control If the value of minfree is not set to 25% of the audit record storage volume, this is a finding. If minfree is not set, this is a finding, since the default set by the kernel is 20%.
Fix Text
Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
Additional Identifiers
Rule ID:
Vulnerability ID: V-1340
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001855 |
The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity. |
Controls
| Number | Title |
|---|---|
| AU-5 (1) |
Audit Storage Capacity |