Check: OL6-00-000311
Oracle Linux 6 STIG:
OL6-00-000311
(in versions v2 r7 through v1 r9)
Title
The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity. (Cat II impact)
Discussion
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
Check Content
Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low: # grep space_left /etc/audit/auditd.conf space_left = [num_megabytes] If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding.
Fix Text
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately: space_left = [num_megabytes] The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.
Additional Identifiers
Rule ID: SV-219577r854353_rule
Vulnerability ID: V-219577
Group Title: SRG-OS-000343
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000143 |
The information system provides a warning when allocated audit record storage volume reaches an organization-defined percentage of maximum audit record storage capacity. |
CCI-001855 |
The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity. |
Controls
Number | Title |
---|---|
AU-5 (1) |
Audit Storage Capacity |