The MDM server must overwrite the oldest audit log entries when audit logs reach capacity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-36294	SRG-APP-109-MDM-254-SRV	SV-47698r1_rule		Low

Description
It is critical that when a system is at risk of failing to process audit logs as required, it detects and takes action to mitigate the failure. Overwriting the oldest audit log entries is the safest course of action in the context of the limited resources available on a mobile device that may not have network connectivity.

STIG	Date
Mobile Device Manager Security Requirements Guide	2013-01-24

Details

Check Text ( C-44535r1_chk )
Review the configuration settings to determine whether the audit system is configured to overwrite the oldest audit log entries when audit logs reach capacity. If this capability is not apparent from the configuration files or vendor documentation, then take actions to fill the audit logs and verify the oldest entries are overwritten when the log is full. If the oldest entries are not overwritten, this is a finding.

Check Text ( C-44535r1_chk )

Review the configuration settings to determine whether the audit system is configured to overwrite the oldest audit log entries when audit logs reach capacity. If this capability is not apparent from the configuration files or vendor documentation, then take actions to fill the audit logs and verify the oldest entries are overwritten when the log is full. If the oldest entries are not overwritten, this is a finding.

Fix Text (F-40825r1_fix)
Configure the MDM server to overwrite the oldest audit log entries when audit logs reach capacity.