UCF STIG Viewer Logo

The mobile operating system must overwrite the oldest audit log entries when audit logs reach capacity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-32963 SRG-OS-000047-MOS-000022 SV-43361r1_rule Low
Description
It is critical when a system is at risk of failing to process audit logs as required; it detects and takes action to mitigate the failure. Overwriting the oldest audit log entries is the best course of action in the context of the limited resources available on a mobile device that may not have network connectivity. The mobile operating system must continue generating audit records while overwriting the oldest audit records in a first-in, first-out manner in the event the audit service failure was caused by the lack of audit record storage capacity. Mobile devices send event audit records to remote log or management servers. Should communications with this server be lost or the server fails, the mobile operating system must queue audit records locally until communications is restored or until the audit records are retrieved manually.
STIG Date
Mobile Operating System Security Requirements Guide 2013-07-03

Details

Check Text ( C-41264r2_chk )
Review the configuration settings to determine if the audit system is configured to overwrite the oldest audit log entries when audit logs reach capacity. If this capability is not apparent from the configuration files or vendor documentation, then take action to fill the audit logs and verify the oldest entries are overwritten when the log is full. If the oldest entries are not overwritten, this is a finding.
Fix Text (F-36878r1_fix)
Configure the operating system to overwrite the oldest audit log entries when audit logs reach capacity.