Detections
Analytics

1.125 UBTU-22-653040

Information

The operating system must immediately notify the system administrator (SA) and information system security officer (ISSO) when the audit record storage volume reaches 25 percent remaining of the allocated capacity.

GROUP ID: V-260596
RULE ID: SV-260596r971542

If security personnel are not notified immediately when storage volume reaches 25 percent remaining of the allocated capacity, they are unable to plan for audit record storage capacity expansion.

Solution

Configure the operating system to notify the SA and ISSO when the audit record storage volume reaches 25 percent remaining of the allocated capacity.

Add or modify the following lines in the "/etc/audit/auditd.conf " file:

space_left = 25%
space_left_action = email

Restart the "auditd" service for the changes to take effect:

$ sudo systemctl restart auditd.servic

Note: If the "space_left_action" parameter is set to "exec", ensure the command being executed notifies the SA and ISSO.

See Also

https://workbench.cisecurity.org/benchmarks/22168

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|III, CCI|CCI-001855, CSCv7|6.4, Rule-ID|SV-260596r971542_rule, STIG-ID|UBTU-22-653040, Vuln-ID|V-260596

Plugin: Unix

Control ID: d2364cdbd39af6227e87f4d0ea0e9a2c7ab5e8427f089ee4e1f785134e62fafa