STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

Audispd must take appropriate action when the SUSE operating system audit storage is full.

DISA Rule

SV-217201r603262_rule

Vulnerability Number

V-217201

Group Title

SRG-OS-000479-GPOS-00224

Rule Version

SLES-12-020110

Severity

CAT II

CCI(s)

• CCI-001851 - The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Weight

10

Fix Recommendation

Configure the SUSE operating system to take the appropriate action if the audit storage is full.

Add, edit, or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below:

disk_full_action = syslog

Check Contents

Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full.

Check that the records are properly off-loaded to a remote server with the following command:

# sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf
disk_full_action = syslog

If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Vulnerability Number

V-217201

Documentable

False

Rule Version

SLES-12-020110

Severity Override Guidance

Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full.

Check that the records are properly off-loaded to a remote server with the following command:

# sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf
disk_full_action = syslog

If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Check Content Reference

M

Target Key

4033

Comments