4.5 Ensure system notification is sent out when voume is 75% full

Information

The operating system must initiate an action to notify the Authorizing Official, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Rationale:

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Solution

Configure the operating system to initiate an action to notify the Authorizing Official (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
Check the system configuration to determine the partition the audit records are being written to:

# grep -iw log_file /etc/audit/auditd.conf

Determine the size of the partition that audit records are written to (with the example being /var/log/audit/):

# df -h /var/log/audit/

Set the value of the space_left keyword in /etc/audit/auditd.conf to 75 percent of the partition size.
Example: vim /etc/audit/auditd.conf
Add the line with space_left set to 75% or the partition size.
Example:

space_left = 225

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72089

Rule ID: SV-86713r3_rule

STIG ID: RHEL-07-030330

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1)

Plugin: Unix

Control ID: 46c6d0e7589c8a8f0afacc89f6d40ed6f59d3240bd87ff1974b848d963b1f56c