Title

The VMM must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. (Cat II impact)

Discussion

In order to ensure VMMs have a sufficient storage capacity in which to write the audit logs, VMMs need to be able to allocate audit record storage capacity. The task of allocating audit record storage capacity is usually performed during initial installation of the VMM and should be based upon anticipated audit record volume. If a central audit record storage facility is available, the local storage capacity should be sufficient to hold audit records that would accumulate during anticipated interruptions in delivery of records to the facility.

Check Content

Verify the VMM allocates audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility. If it does not, this is a finding.

Fix Text

Configure the VMM to allocate audit record storage capacity to store at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility.

Additional Identifiers

Rule ID: SV-207452r958752_rule

Vulnerability ID: V-207452

Group Title: SRG-OS-000341

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.