Detections
Analytics

800-53|AU-5(1)

Title

AUDIT STORAGE CAPACITY

Description

The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.

Supplemental

Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities.

Reference Item Details

Category: AUDIT AND ACCOUNTABILITY

Parent Title: RESPONSE TO AUDIT PROCESSING FAILURES

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.48 APPL-14-001030UnixCIS Apple macOS 14 (Sonoma) STIG v1.0.0 CAT II
1.125 UBTU-22-653040UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT III
1.175 UBTU-24-900960UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT III
1.282 OL08-00-030730UnixCIS Oracle Linux 8 STIG v1.0.0 CAT II
1.283 OL08-00-030731UnixCIS Oracle Linux 8 STIG v1.0.0 CAT II
1.372 RHEL-09-653035UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.373 RHEL-09-653040UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.374 RHEL-09-653045UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.375 RHEL-09-653050UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.379 RHEL-09-653070UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
3.092 - The system must generate an audit event when the audit log reaches a percentage of full threshold.WindowsDISA Windows Vista STIG v6r41
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action is configured'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.2.4 Ensure system notification is sent out when volume is 75% fullUnixCIS Amazon Linux 2 STIG v2.0.0 STIG
4.1.2.4 Ensure system notification is sent out when volume is 75% full - SA and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.5 Ensure system is disabled when audit logs are fullUnixCIS Amazon Linux 2 STIG v2.0.0 STIG
4.1.2.5 Ensure system is disabled when audit logs are fullUnixCIS Amazon Linux 2 STIG v2.0.0 L2 Server
4.1.2.5 Ensure system is disabled when audit logs are fullUnixCIS Amazon Linux 2 STIG v2.0.0 L2 Workstation
4.1.2.5 Ensure system is disabled when audit logs are full - at a minimum via email when the threshold for the repository maximum audit record storage capacity is reached.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.5 Ensure system is disabled when audit logs are full - at a minimum when the threshold for the repository maximum audit record storage capacity is reached.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.9 Enable Kernel Level Auditing, Check if 'minfree:20' is set in /etc/security/audit_control.UnixCIS Solaris 10 L1 v5.2
6.3.2.7 Ensure the operating system notifies the SA and ISSO when allocated audit record storage volume reaches 75 percentUnixCIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG
6.3.2.8 Ensure the operating system takes action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacityUnixCIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG
8.1.1.2 Disable System on Audit Log Full - 'admin_space_left_action = halt'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
8.1.1.2 Disable System on Audit Log Full - admin_space_left_action = haltUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full - space_left_action = emailUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full- 'space_left_action = email'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
ALMA-09-053260 - AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r4
ALMA-09-053370 - AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r4
ALMA-09-053480 - AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r4
ALMA-09-053590 - AlmaLinux OS 9 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent usage.UnixDISA CloudLinux AlmaLinux OS 9 STIG v1r4
APPL-14-001030 - The macOS system must configure audit capacity warning.UnixDISA Apple macOS 14 Sonoma STIG v2r4
APPL-15-001030 - The macOS system must configure audit capacity warning.UnixDISA Apple macOS 15 Sequoia STIG v1r5
APPL-26-001030 - The macOS system must configure audit capacity warning.UnixDISA Apple macOS 26 Tahoe STIG v1r1
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v3r2
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v3r2 Middleware
AZLX-23-002035 - Amazon Linux 2023 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.UnixDISA Amazon Linux 2023 STIG v1r2
AZLX-23-002040 - Amazon Linux 2023 must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization.UnixDISA Amazon Linux 2023 STIG v1r2
AZLX-23-002045 - Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the audit record storage capacity.UnixDISA Amazon Linux 2023 STIG v1r2
AZLX-23-002050 - Amazon Linux 2023 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.UnixDISA Amazon Linux 2023 STIG v1r2
AZLX-23-002055 - Amazon Linux 2023 must immediately notify the system administrator (SA) and information system security officer (ISSO), at a minimum, of an audit processing failure event.UnixDISA Amazon Linux 2023 STIG v1r2
Big Sur - Configure Audit Capacity WarningUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Configure Audit Capacity WarningUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Configure Audit Capacity WarningUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Catalina - Configure Audit Capacity WarningUnixNIST macOS Catalina v1.5.0 - All Profiles
CD12-00-009900 - The system must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.UnixDISA STIG Crunchy Data PostgreSQL OS v3r1