OL07-00-030340 - The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached - at a minimum via email when the threshold for the repository maximum audit record storage capacity is reached.

Information

If security personnel are not notified immediately when the threshold for the repository maximum audit record storage capacity is reached, they are unable to expand the audit record storage capacity before records are lost.

Solution

Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.

Uncomment or edit the 'space_left_action' keyword in '/etc/audit/auditd.conf' and set it to 'email'.

space_left_action = email

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_7_V2R14_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-221775r877389_rule, STIG-ID|OL07-00-030340, STIG-Legacy|SV-108393, STIG-Legacy|V-99289, Vuln-ID|V-221775

Plugin: Unix

Control ID: debca99704db04028b33dffaa2f25fbe55b4c1099cb941e72b4cde55ccfbf230