Title

SLEM 5 must use a separate file system for the system audit data path. (Cat II impact)

Discussion

The use of separate file systems for different paths can protect the system from failures resulting from a file system becoming full or failing.

Check Content

Verify that SLEM 5 has a separate file system/partition for the system audit data path with the following command: Note: "/var/log/audit" is used as the example as it is a common location. > grep /var/log/audit /etc/fstab UUID=c4e898dd-6cd9-4091-a733-9435e505957a /var btrfs defaults,subvol=@/var/log/audit 0 0 If a separate entry for the system audit data path (in this example the "/var/log/audit" path) does not exist, ask the system administrator if the system audit logs are being written to a different file system/partition on the system and then grep for that file system/partition. If a separate file system/partition does not exist for the system audit data path, this is a finding.

Fix Text

Migrate SLEM 5 audit data path onto a separate file system or partition.

Additional Identifiers

Rule ID: SV-261280r996324_rule

Vulnerability ID: V-261280

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.