The audit system must alert the SA when the audit storage volume approaches its capacity.

From SOLARIS 10 SPARC SECURITY TECHNICAL IMPLEMENTATION GUIDE

Associated with IA controls: ECSC-1

Associated with: CCI-000143

SV-40564r1_rule The audit system must alert the SA when the audit storage volume approaches its capacity.

Vulnerability discussion

An accurate and current audit trail is essential for maintaining a record of system activity. If the system fails, the SA must be notified and must take prompt action to correct the problem.Minimally, the system must log this event and the SA will receive this notification during the daily system log review. If feasible, active alerting (such as email or paging) should be employed consistent with the site’s established operations management systems and procedures.

Check content

Verify the presence of an audit_warn entry in /etc/mail/aliases. # grep audit_warn /etc/mail/aliases If there is no audit_warn entry in /etc/mail/aliases, this is a finding. Verify the minfree parameter in /etc/security/audit_control. # egrep '^minfree:' /etc/security/audit_control If the minfree parameter is set to zero or not set at all, this is a finding.

Fix text

If necessary, add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s). # vi /etc/mail/aliases Put the updated aliases file into service. # newaliases If necessary, add or update the minfree: parameter in /etc/security/audit_control. # vi /etc/security/audit_control Ensure the minfree value is greater than zero and less than 100.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.