STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The audit system must take appropriate action when there are disk errors on the audit storage volume.

DISA Rule

SV-209059r603263_rule

Vulnerability Number

V-209059

Group Title

SRG-OS-000047

Rule Version

OL6-00-000511

Severity

CAT II

CCI(s)

• CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Weight

10

Fix Recommendation

Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:

disk_error_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"exec"
"suspend"
"single"
"halt"

Set this to "syslog", "exec", "single", or "halt".

Check Contents

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur:

# grep disk_error_action /etc/audit/auditd.conf
disk_error_action = [ACTION]

If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.

Vulnerability Number

V-209059

Documentable

False

Rule Version

OL6-00-000511

Severity Override Guidance

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur:

# grep disk_error_action /etc/audit/auditd.conf
disk_error_action = [ACTION]

If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.

Check Content Reference

M

Target Key

2928

Comments