The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-215036	UBTU-16-020030	SV-215036r610931_rule		Medium

Description
If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.

STIG	Date
Canonical Ubuntu 16.04 LTS Security Technical Implementation Guide	2020-12-09

Details

Check Text ( C-16235r284976_chk )
Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following commands: #sudo grep space_left_action /etc/audit/auditd.conf space_left_action email If the space_left_action is set to "email" check the value of the "action_mail_acct" parameter with the following command: #sudo grep action_mail_acct parameter /etc/audit/auditd.conf action_mail_acct parameter root@localhost If the space_left_action or the action_mail_accnt parameters are set to blanks, this is a finding. If the space_left_action is set to "syslog", the system logs the event, this is not a finding. If the space_left_action is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding. The action_mail_acct parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the e-mail address of the system administrator(s) and/or ISSO, this is a finding. Note: If the email address of the system administrator is on a remote system a mail package must be available.

Check Text ( C-16235r284976_chk )

Verify the Ubuntu operating system notifies the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Check that the Ubuntu operating system notifies the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity with the following commands:

#sudo grep space_left_action /etc/audit/auditd.conf

space_left_action email

If the space_left_action is set to "email" check the value of the "action_mail_acct" parameter with the following command:

#sudo grep action_mail_acct parameter /etc/audit/auditd.conf

action_mail_acct parameter root@localhost

If the space_left_action or the action_mail_accnt parameters are set to blanks, this is a finding.

If the space_left_action is set to "syslog", the system logs the event, this is not a finding.

If the space_left_action is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding.

The action_mail_acct parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the e-mail address of the system administrator(s) and/or ISSO, this is a finding.

Note: If the email address of the system administrator is on a remote system a mail package must be available.

Fix Text (F-16233r284977_fix)
Configure the operating system to immediately notify the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity. Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec", "email", or "syslog". If the "space_left_action" parameter is set to "email" set the "action_mail_acct" parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO).

Fix Text (F-16233r284977_fix)

Configure the operating system to immediately notify the SA and ISSO (at a minimum) via email when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec", "email", or "syslog". If the "space_left_action" parameter is set to "email" set the "action_mail_acct" parameter to an e-mail address for the System Administrator (SA) and Information System Security Officer (ISSO).