The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.

From Red Hat Enterprise Linux 6 Security Technical Implementation Guide

Part of SRG-OS-000048

Associated with: CCI-000143

SV-50479r2_rule The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.

Vulnerability discussion

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

Check content

Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low: # grep space_left /etc/audit/auditd.conf space_left = [num_megabytes] If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding.

Fix text

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately: space_left = [num_megabytes] The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer