Detections
Analytics

1.372 RHEL-09-653035

Information

RHEL 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

GROUP ID: V-258156
RULE ID: SV-258156r971542

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Solution

Configure RHEL 9 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.

space_left = 25%

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-258156r971542_rule, STIG-ID|RHEL-09-653035, Vuln-ID|V-258156

Plugin: Unix

Control ID: a6561765992bc5085a84713a11d196c1d0cb60f8212cb21e8b20bf693fe73294