UBTU-20-010215 - The Ubuntu operating system must allocate audit record storage capacity to store at least one weeks' worth of audit records, when audit records are not immediately sent to a central audit record storage facility.

Information

In order to ensure operating systems have a sufficient storage capacity in which to write the audit logs, operating systems need to be able to allocate audit record storage capacity.

The task of allocating audit record storage capacity is usually performed during initial installation of the operating system.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Allocate enough storage capacity for at least one week's worth of audit records when audit records are not immediately sent to a central audit record storage facility.

If audit records are stored on a partition made specifically for audit records, use the 'parted' program to resize the partition with sufficient space to contain one week's worth of audit records.

If audit records are not stored on a partition made specifically for audit records, a new partition with sufficient amount of space will need be to be created.

Set the auditd server to point to the mount point where the audit records must be located:

$ sudo sed -i -E 's@^(log_files*=s*).*@1 <log mountpoint>/audit.log@' /etc/audit/auditd.conf

where <log mountpoint> is the aforementioned mount point.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R1_STIG.zip

Item Details

References: CAT|III, CCI|CCI-001849, Rule-ID|SV-238305r654090_rule, STIG-ID|UBTU-20-010215, Vuln-ID|V-238305

Plugin: Unix

Control ID: 7835c7155ed34adbd6a0315cc73af22acc9241fcb08b519ea4200fbbb71cc881