The audit system must take appropriate action when there are disk errors on the audit storage volume.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-218094 | RHEL-06-000511 | SV-218094r505923_rule | Medium |
| Description |
|---|
| Taking appropriate action in case of disk errors will minimize the possibility of losing audit records. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2020-09-03 |
Details
| Check Text ( C-19575r377297_chk ) |
|---|
| Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur: # grep disk_error_action /etc/audit/auditd.conf disk_error_action = [ACTION] If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding. |
| Fix Text (F-19573r377298_fix) |
|---|
| Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_error_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt". |