The designer will ensure the application has a capability to notify an administrator when audit logs are nearing capacity as specified in the system documentation.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-6139	APP3650	SV-6139r1_rule	ECAT-2	Low

Description
If an application audit log reaches capacity without warning, it will stop logging important system and security events. It could also open the system up for a type of denial of service attack, if an application halts with a full log.

STIG	Date
Application Security and Development STIG	2014-04-03

Details

Check Text ( C-2952r1_chk )
Examine the application documentation and ask the application representative what automated mechanism is in place to ensure the administrator is notified when the application logs are near capacity. 1) If an automated mechanism is not in place to warn the administrator, it is a finding. If the application representative or the documentation indicates a mechanism is in place, examine the configuration of the mechanism to ensure the process is present and executing. 2) If an automated mechanism is not executing, it is a finding. Note: This may be automated by the operating system of the application servers.

Check Text ( C-2952r1_chk )

Examine the application documentation and ask the application representative what automated mechanism is in place to ensure the administrator is notified when the application logs are near capacity.

1) If an automated mechanism is not in place to warn the administrator, it is a finding.

If the application representative or the documentation indicates a mechanism is in place, examine the configuration of the mechanism to ensure the process is present and executing.

2) If an automated mechanism is not executing, it is a finding.

Note: This may be automated by the operating system of the application servers.

Fix Text (F-17116r1_fix)
Implement a warning mechanism to notify system administrators when the audit records are near full.