Check: RHEL-06-000004
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000004
(in versions v2 r2 through v1 r14)
Title
The system must use a separate file system for the system audit data path. (Cat III impact)
Discussion
Placing "/var/log/audit" in its own partition enables better separation between audit files and other files, and helps ensure that auditing cannot be halted due to the partition running out of space.
Check Content
Run the following command to determine if "/var/log/audit" is on its own partition or logical volume: $ mount | grep "on /var/log/audit " If "/var/log/audit" has its own partition or volume group, a line will be returned. If no line is returned, this is a finding.
Fix Text
Audit logs are stored in the "/var/log/audit" directory. Ensure that it has its own partition or logical volume at installation time, or migrate it later using LVM. Make absolutely certain that it is large enough to store all audit logs that will be created by the auditing daemon.
Additional Identifiers
Rule ID: SV-217849r603264_rule
Vulnerability ID: V-217849
Group Title: SRG-OS-000480
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000137 |
The organization allocates audit record storage capacity. |
| CCI-000366 |
The organization implements the security configuration settings. |
| CCI-001849 |
The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements. |