The operating system must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.

From Apple OS X 10.9 (Mavericks) Workstation Security Technical Implementation Guide

Part of SRG-OS-000343

Associated with: CCI-001855

SV-72753r1_rule The operating system must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.

Vulnerability discussion

The audit service must be configured to require a minimum percentage of free disk space in order to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs.When minfree is set to 25%, security personnel are notified immediately when the storage volume is 75% full and are able to plan for audit record storage capacity expansion.

Check content

The check displays the '% free' to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: sudo grep ^minfree /etc/security/audit_control If this returns no results, or does not contain 25, this is a finding.

Fix text

Edit the /etc/security/audit_control file, and change the value for 'minfree' to 25. Use the following command to set the 'minfree' value to '25%': sudo sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; sudo audit -s A text editor may also be used to implement the required update to the /etc/security/audit_control file.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer