The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-215035	UBTU-16-020021	SV-215035r508033_rule		Medium

Description
If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.

STIG	Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide	2020-09-03

Details

Check Text ( C-16234r284973_chk )
Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to with the following command: # sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.log Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"): # df -h /var/log/audit/ 1.0G /var/log/audit If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command: # du -sh 1.0G /var Determine what the threshold is for the system to take action when 75% of the repository maximum audit record storage capacity is reached: # grep -i space_left /etc/audit/auditd.conf space_left = 250 If the value of the "space_left" keyword is not set to 25% of the total partition size, this is a finding.

Check Text ( C-16234r284973_chk )

Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Check the system configuration to determine the partition the audit records are being written to with the following command:

# sudo grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log

Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"):

# df -h /var/log/audit/
1.0G /var/log/audit

If the audit records are not being written to a partition specifically created for audit records (in this example "/var/log/audit" is a separate partition), determine the amount of space other files in the partition are currently occupying with the following command:

# du -sh
1.0G /var

Determine what the threshold is for the system to take action when 75% of the repository maximum audit record storage capacity is reached:

# grep -i space_left /etc/audit/auditd.conf
space_left = 250

If the value of the "space_left" keyword is not set to 25% of the total partition size, this is a finding.

Fix Text (F-16232r284974_fix)
Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to: # grep log_file /etc/audit/auditd.conf Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"): # df -h /var/log/audit/ Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25% of the partition size.

Fix Text (F-16232r284974_fix)

Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Check the system configuration to determine the partition the audit records are being written to:

# grep log_file /etc/audit/auditd.conf

Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"):

# df -h /var/log/audit/

Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25% of the partition size.