Check: OL6-00-000511
Oracle Linux 6 STIG:
OL6-00-000511
(in versions v2 r7 through v1 r9)
Title
The audit system must take appropriate action when there are disk errors on the audit storage volume. (Cat II impact)
Discussion
Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.
Check Content
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur: # grep disk_error_action /etc/audit/auditd.conf disk_error_action = [ACTION] If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.
Fix Text
Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_error_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".
Additional Identifiers
Rule ID: SV-209059r793780_rule
Vulnerability ID: V-209059
Group Title: SRG-OS-000047
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000140 |
The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records). |
Controls
Number | Title |
---|---|
AU-5 |
Response To Audit Processing Failures |