UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-75623 UBTU-16-020030 SV-90303r2_rule Medium
Description
If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.
STIG Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide 2018-07-18

Details

Check Text ( C-75327r2_chk )
Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following commands:

#sudo grep space_left_action /etc/audit/auditd.conf

space_left_action email

If the space_left_action is set to "email" check the value of the "action_mail_acct" parameter with the following command:

#sudo grep action_mail_acct parameter /etc/audit/auditd.conf

action_mail_acct parameter root@localhost

If the space_left_action or the action_mail_accnt parameters are set to blanks, this is a finding.

If the space_left_action is set to "syslog", the system logs the event, this is not a finding.

If the space_left_action is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding.

The action_mail_acct parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the e-mail address of the system administrator(s) and/or ISSO, this is a finding.

Note: If the email address of the system administrator is on a remote system a mail package must be available.
Fix Text (F-82251r2_fix)
Configure the operating system to immediately notify the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec", "email", or "syslog". If the "space_left_action" parameter is set to "email" set the "action_mail_acct" parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO).