UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The operating system must provide an immediate warning to the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of repository maximum audit record storage capacity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-67515 AOSX-11-000305 SV-82005r1_rule Medium
Description
The audit service must be configured to require a minimum percentage of free disk space in order to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs. When minfree is set to 25%, security personnel are notified immediately when the storage volume is 75% full and are able to plan for audit record storage capacity expansion.
STIG Date
Apple OS X 10.11 Security Technical Implementation Guide 2017-07-11

Details

Check Text ( C-68081r1_chk )
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command:

/usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control

If this returns no results, or does not contain "25", this is a finding.
Fix Text (F-73629r1_fix)
Edit the /etc/security/audit_control file, and change the value for "minfree" to "25". Use the following command to set the "minfree" value to "25%":

/usr/bin/sudo /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s

A text editor may also be used to implement the required updates to the /etc/security/audit_control file.