UBTU-20-010217 - The Ubuntu operating system must immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity - at a minimum when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Edit '/etc/audit/auditd.conf' and set the 'space_left_action' parameter to 'exec' or 'email'.

If the 'space_left_action' parameter is set to 'email', set the 'action_mail_acct' parameter to an email address for the SA and ISSO.

If the 'space_left_action' parameter is set to 'exec', ensure the command being executed notifies the SA and ISSO.

Edit '/etc/audit/auditd.conf' and set the 'space_left' parameter to be at least 25% of the repository maximum audit record storage capacity.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_20-04_LTS_V1R10_STIG.zip

Item Details

References: CAT|III, CCI|CCI-001855, Rule-ID|SV-238307r877389_rule, STIG-ID|UBTU-20-010217, Vuln-ID|V-238307

Plugin: Unix

Control ID: 46a433fefaa771d890844b7b1dec28f5d17e6615611c5a0a353aac8d6e1c1830