Check: SLES-15-030800
SUSE Linux Enterprise Server 15 STIG:
SLES-15-030800
(in versions v2 r3 through v2 r2)
Title
Audispd must take appropriate action when the SUSE operating system audit storage is full. (Cat II impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
Check Content
Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full. Check that the records are properly off-loaded to a remote server with the following command: > sudo grep -i "disk_full_action" /etc/audit/audisp-remote.conf disk_full_action = syslog If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.
Fix Text
Configure the SUSE operating system to take the appropriate action if the audit storage is full. Add, edit, or uncomment the "disk_full_action" option in "/etc/audit/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below: disk_full_action = syslog
Additional Identifiers
Rule ID: SV-234979r1009576_rule
Vulnerability ID: V-234979
Group Title: SRG-OS-000479-GPOS-00224
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
| Number | Title |
|---|---|
| AU-4(1) |
Transfer to Alternate Storage |