Title

Audispd must take appropriate action when the SUSE operating system audit storage is full. (Cat II impact)

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Check Content

Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full. Check that the records are properly off-loaded to a remote server with the following command: # sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf disk_full_action = syslog If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Fix Text

Configure the SUSE operating system to take the appropriate action if the audit storage is full. Add, edit, or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below: disk_full_action = syslog

Additional Identifiers

Rule ID: SV-217201r854106_rule

Vulnerability ID: V-217201

Group Title: SRG-OS-000479-GPOS-00224

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.