GEN002730 - The audit system must alert the SA when the audit storage volume approaches its capacity - audit_warn

Information

An accurate and current audit trail is essential for maintaining a record of system activity. If the system fails, the SA must be notified and must take prompt action to correct the problem.

Minimally, the system must log this event and the SA will receive this notification during the daily system log review. If feasible, active alerting (such as email or paging) should be employed consistent with the site's established operations management systems and procedures.

Solution

If necessary, add an audit_warn alias to /etc/mail/aliases that will forward to designated system administrator(s).

# vi /etc/mail/aliases

Put the updated aliases file into service.

# newaliases

If necessary, add or update the minfree: parameter in /etc/security/audit_control.

# vi /etc/security/audit_control

Ensure the minfree value is greater than zero and less than 100.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SOL_10_SPARC_V2R4_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-226600r854422_rule, STIG-ID|GEN002730, STIG-Legacy|SV-40564, STIG-Legacy|V-22375, Vuln-ID|V-226600

Plugin: Unix

Control ID: 7ed04952c91c83be45715dd747d286f6c6a0aa9d1ce62c5d6709c12a9a31be0c