STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Red Hat Enterprise Linux 7 Security Technical Implementation Guide Version: 3 Release: 3 Benchmark Date: 23 Apr 2021:SV-204515r603261_rule
V-204515
SRG-OS-000343-GPOS-00134
RHEL-07-030350
CAT II
10
Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.
Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel.
action_mail_acct = root
Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:
# grep -i action_mail_acct /etc/audit/auditd.conf
action_mail_acct = root
If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.
V-204515
False
RHEL-07-030350
Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.
Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:
# grep -i action_mail_acct /etc/audit/auditd.conf
action_mail_acct = root
If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.
M
2899