Detections
Analytics

1.373 RHEL-09-653040

Information

RHEL 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.

GROUP ID: V-258157
RULE ID: SV-258157r971542

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Solution

Configure RHEL 9 to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity by adding/modifying the following line in the /etc/audit/auditd.conf file.

space_left_action = email

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-258157r971542_rule, STIG-ID|RHEL-09-653040, Vuln-ID|V-258157

Plugin: Unix

Control ID: 19b9e23fcdd6b4f3a47f0daf3149afed32a0a8f9167e72fd2dcf12b8ceae9579