Detections
Analytics

1.175 UBTU-24-900960

Information

The operating system must immediately notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

GROUP ID: V-270818
RULE ID: SV-270818r1066943

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec" or "email".

If the "space_left_action" parameter is set to "email", set the "action_mail_acct" parameter to an email address for the SA and ISSO.

If the "space_left_action" parameter is set to "exec", ensure the command being executed notifies the SA and ISSO.

Edit "/etc/audit/auditd.conf" and set the "space_left" parameter to be at least 25 percent of the repository maximum audit record storage capacity.

See Also

https://workbench.cisecurity.org/benchmarks/22775

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|III, CCI|CCI-001855, CSCv7|6.4, Rule-ID|SV-270818r1066943_rule, STIG-ID|UBTU-24-900960, Vuln-ID|V-270818

Plugin: Unix

Control ID: 6d6cdcdace7390cdc6d13eee7d44a99e8e708ae0ba02ee8a6c21abd4c3466bb4