Title

The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached. (Cat II impact)

Discussion

If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.

Check Content

Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check what action the operating system takes when the threshold for the repository maximum audit record storage capacity is reached with the following command: # grep -i space_left_action /etc/audit/auditd.conf space_left_action = email If the value of the "space_left_action" keyword is not set to "email", this is a finding.

Fix Text

Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached. Uncomment or edit the "space_left_action" keyword in "/etc/audit/auditd.conf" and set it to "email". space_left_action = email

Additional Identifiers

Rule ID: SV-204514r971542_rule

Vulnerability ID: V-204514

Group Title: SRG-OS-000343-GPOS-00134

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.