Detections
Analytics

800-53|AU-5(1)

Title

AUDIT STORAGE CAPACITY

Description

The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.

Supplemental

Organizations may have multiple audit data storage repositories distributed across multiple information system components, with each repository having different storage volume capacities.

Reference Item Details

Category: AUDIT AND ACCOUNTABILITY

Parent Title: RESPONSE TO AUDIT PROCESSING FAILURES

Family: AUDIT AND ACCOUNTABILITY

Baseline Impact: HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
3.092 - The system must generate an audit event when the audit log reaches a percentage of full threshold.WindowsDISA Windows Vista STIG v6r41
3.330 - The system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75%.UnixTenable Fedora Linux Best Practices v2.0.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action is configured'UnixCIS Amazon Linux v2.1.0 L2
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Workstation L2 v2.1.0
4.1.1.2 Ensure system is disabled when audit logs are full - 'space_left_action'UnixCIS Ubuntu Linux 14.04 LTS Server L2 v2.1.0
4.1.2.4 Ensure system notification is sent out when volume is 75% full - SA and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.5 Ensure system is disabled when audit logs are full - at a minimum via email when the threshold for the repository maximum audit record storage capacity is reached.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.1.2.5 Ensure system is disabled when audit logs are full - at a minimum when the threshold for the repository maximum audit record storage capacity is reached.UnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.9 Enable Kernel Level Auditing, Check if 'minfree:20' is set in /etc/security/audit_control.UnixCIS Solaris 10 L1 v5.2
5.8 Enable kernel-level auditing, Check if 'minfree:20' is set in /etc/security/audit_control.UnixCIS Solaris 9 v1.3
8.1.1.2 Disable System on Audit Log Full - 'admin_space_left_action = halt'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
8.1.1.2 Disable System on Audit Log Full - admin_space_left_action = haltUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full - space_left_action = emailUnixCIS Debian Linux 7 L2 v1.0.0
8.1.1.2 Disable System on Audit Log Full- 'space_left_action = email'UnixCIS Ubuntu 12.04 LTS Benchmark L2 v1.1.0
AOSX-09-000305 - System must provide an immediate warning to the SA and ISSO when allocated audit record storage volume reaches 75%.UnixDISA STIG Apple Mac OSX 10.9 v1r2
AOSX-10-000305 - System must provide an immediate warning to the SA and ISSO when allocated audit record storage volume reaches 75%.UnixDISA STIG Apple Mac OSX 10.10 v1r5
AOSX-11-000305 - The system must provide an immediate real-time alert of all audit failure events requiring real-time alerts.UnixDISA STIG Apple Mac OSX 10.11 v1r6
APPL-14-001030 - The macOS system must configure audit capacity warning.UnixDISA Apple macOS 14 (Sonoma) STIG v1r2
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v2r7
AS24-U1-000160 - The Apache web server must use a logging mechanism that is configured to alert the Information System Security Officer (ISSO) and System Administrator (SA) in the event of a processing failure.UnixDISA STIG Apache Server 2.4 Unix Server v2r7 Middleware
Big Sur - Configure Audit Capacity WarningUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Configure Audit Capacity WarningUnixNIST macOS Big Sur v1.4.0 - 800-53r4 High
Big Sur - Configure Audit Capacity WarningUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Catalina - Configure Audit Capacity WarningUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Configure Audit Capacity WarningUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Configure Audit Capacity WarningUnixNIST macOS Catalina v1.5.0 - 800-53r4 High
DB2X-00-007600 - DB2 must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.WindowsDISA STIG IBM DB2 v10.5 LUW v1r4 OS Windows
DB2X-00-007600 - DB2 must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.UnixDISA STIG IBM DB2 v10.5 LUW v2r1 OS Linux
DB2X-00-007600 - DB2 must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.WindowsDISA STIG IBM DB2 v10.5 LUW v2r1 OS Windows
DB2X-00-007600 - DB2 must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.UnixDISA STIG IBM DB2 v10.5 LUW v1r4 OS Linux
DKER-EE-003330 - Log aggregation/SIEM systems must be configured to alarm when audit storage space for Docker Engine - Enterprise nodes exceed 75% usage.UnixDISA STIG Docker Enterprise 2.x Linux/Unix v2r1
Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'UnixTenable Cisco Firepower Management Center OS Best Practices Audit
Ensure system is disabled when audit logs are full - 'space_left_action = email'UnixTenable Cisco Firepower Management Center OS Best Practices Audit
EP11-00-008000 - The EDB Postgres Advanced Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75% of maximum audit record storage capacity.WindowsEDB PostgreSQL Advanced Server v11 Windows OS Audit v2r3
EPAS-00-008000 - The EDB Postgres Advanced Server must provide a warning to appropriate support staff when allocated audit record storage volume reaches 75 percent of maximum audit record storage capacity.PostgreSQLDBEnterpriseDB PostgreSQL Advanced Server DB v1r1
F5BI-DM-000191 - The BIG-IP appliance must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.F5DISA F5 BIG-IP Device Management 11.x STIG v1r7
F5BI-DM-000191 - The BIG-IP appliance must be configured to allocate audit record storage capacity in accordance with organization-defined audit record storage requirements.F5DISA F5 BIG-IP Device Management 11.x STIG v2r1
F5BI-DM-000193 - The BIG-IP appliance must be configured to generate an immediate alert when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.F5DISA F5 BIG-IP Device Management STIG v2r3
Fortigate - full-final-warning-threshold <= 95%FortiGateTNS Fortigate FortiOS Best Practices
Fortigate - full-final-warning-threshold <= 95%FortiGateTNS Fortigate FortiOS Best Practices v2.0.0
Fortigate - full-first-warning-threshold <= 75%FortiGateTNS Fortigate FortiOS Best Practices
Fortigate - full-first-warning-threshold <= 75%FortiGateTNS Fortigate FortiOS Best Practices v2.0.0
Fortigate - full-second-warning-threshold <= 90%FortiGateTNS Fortigate FortiOS Best Practices v2.0.0
Fortigate - full-second-warning-threshold <= 90%FortiGateTNS Fortigate FortiOS Best Practices
GEN002719 - The audit system must alert the SA in the event of an audit processing failure.UnixDISA STIG Solaris 10 SPARC v2r2
GEN002719 - The audit system must alert the SA in the event of an audit processing failure.UnixDISA STIG Solaris 10 X86 v2r1
GEN002719 - The audit system must alert the SA in the event of an audit processing failure.UnixDISA STIG Solaris 10 SPARC v2r1