Check: SLEM-05-653030
SUSE Linux Enterprise Micro (SLEM) 5 STIG:
SLEM-05-653030
(in version v1 r1)
Title
SLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full. (Cat II impact)
Discussion
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
Check Content
Determine if SLEM 5 auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity with the following command: > sudo grep -iw space_left /etc/audit/auditd.conf space_left = 25% If "space_left" is not set to "25%" or greater, this is a finding.
Fix Text
Configure SLEM 5 auditd service to notify the SA and ISSO immediately when audit storage capacity is 75 percent full. Add or modify the following lines in the "/etc/audit/auditd.conf " file: space_left = 25%
Additional Identifiers
Rule ID: SV-261414r996654_rule
Vulnerability ID: V-261414
Group Title: SRG-OS-000343-GPOS-00134
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001855 |
Provide a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit log storage volume reaches an organization-defined percentage of repository maximum audit log storage capacity. |
Controls
| Number | Title |
|---|---|
| AU-5(1) |
Audit Storage Capacity |