STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The audit system must alert designated staff members when the audit storage volume approaches capacity.

DISA Rule

SV-219542r603263_rule

Vulnerability Number

V-219542

Group Title

SRG-OS-000343

Rule Version

OL6-00-000005

Severity

CAT II

CCI(s)

• CCI-001855 - The information system provides a warning to organization-defined personnel, roles, and/or locations within an organization-defined time period when allocated audit record storage volume reaches an organization-defined percentage of repository maximum audit record storage capacity.

Weight

10

Fix Recommendation

The 'auditd' service can be configured to take an action when disk space starts to run low. Edit the file '/etc/audit/auditd.conf'. Modify the following line, substituting [ACTION] appropriately:

space_left_action = [ACTION]

Possible values for [ACTION] are described in the 'auditd.conf' man page. These include: 'ignore',
'syslog', 'email', 'exec', 'suspend', 'single', and 'halt'. Set this to 'email' (instead of the default, which is 'suspend') as it is more likely to get prompt attention. The 'syslog' option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner.

OL6-00-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.

Check Contents

Inspect '/etc/audit/auditd.conf' and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low:

# grep space_left_action /etc/audit/auditd.conf
space_left_action = email

If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The 'syslog' option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.

Vulnerability Number

V-219542

Documentable

False

Rule Version

OL6-00-000005

Severity Override Guidance

Inspect '/etc/audit/auditd.conf' and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low:

# grep space_left_action /etc/audit/auditd.conf
space_left_action = email

If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding. The 'syslog' option is acceptable when it can be demonstrated that the local log management infrastructure notifies an appropriate administrator in a timely manner.

Check Content Reference

M

Target Key

2928

Comments