Check: 3.092
Windows 2003 DC STIG:
3.092
(in version v6 r40)
Title
The system does not generate an audit event when the audit log reaches a percent full threshold. (Cat III impact)
Discussion
When the audit log reaches a given percent full, an audit event is written to the security log. The event ID is 523 and is recorded as a success audit under the category of System. This option may be especially useful if the audit logs are set to be cleared manually. A recommended setting would be 90 percent.
Check Content
Fix Text
Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> “MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning” to “90” or less.
Additional Identifiers
Rule ID: SV-29728r1_rule
Vulnerability ID: V-4108
Group Title:
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000139 |
Alert organization-defined personnel or roles within an organization-defined time period in the event of an audit logging process failure. |
| CCI-001855 |
Provide a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit log storage volume reaches an organization-defined percentage of repository maximum audit log storage capacity. |
| CCI-001858 |
Provide an alert in an organization-defined real-time-period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur. |