The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

From Red Hat Enterprise Linux 7 Security Technical Implementation Guide

Part of SRG-OS-000343-GPOS-00134

Associated with: CCI-001855

SV-86713r1_rule The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Vulnerability discussion

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Check content

Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to with the following command: # grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"): # df -h /var/log/audit/ 0.9G /var/log/audit If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command: # du -sh 1.8G /var Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached: # grep -i space_left /etc/audit/auditd.conf space_left = 225 If the value of the "space_left" keyword is not set to 25 percent of the total partition size, this is a finding.

Fix text

Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to: # grep log_file /etc/audit/auditd.conf Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"): # df -h /var/log/audit/ Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 75 percent of the partition size.

Pro Tips

Lavender hyperlinks in small type off to the right (of CSS class id, if you view the page source) point to globally unique URIs for each document and item. Copy the link location and paste anywhere you need to talk unambiguously about these things.

You can obtain data about documents and items in other formats. Simply provide an HTTP header Accept: text/turtle or Accept: application/rdf+xml.

Powered by sagemincer