Title

Ubuntu OS must alert the information system security officer (ISSO) and system administrator (SA) in the event of an audit processing failure. (Cat II impact)

Discussion

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000344-GPOS-00135

Check Content

Verify that the SA and ISSO are notified in the event of an audit processing failure by using the following command: $ sudo grep -i action_mail_acct /etc/audit/auditd.conf action_mail_acct = <administrator_email_account> If "action_mail_acct" is not set to the email address of the SA and/or ISSO, is commented out, or is missing, this is a finding.

Fix Text

Configure "auditd" service to notify the SA and ISSO in the event of an audit processing failure. Add or modify the following line in the "/etc/audit/auditd.conf " file: action_mail_acct = <administrator_email_account> Note: Change "administrator_email_account" to the email address of the SA and/or ISSO. Restart the "auditd" service for the changes take effect: $ sudo systemctl restart auditd.service Note: An email package must be installed on the system for email notifications to be sent.

Additional Identifiers

Rule ID: SV-275680r1148090_rule

Vulnerability ID: V-275680

Group Title: SRG-OS-000046-GPOS-00022

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.