UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure.


Overview

Finding ID Version Rule ID IA Controls Severity
V-72081 RHEL-07-030010 SV-86705r1_rule Medium
Description
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without this notification, the security personnel may be unaware of an impending failure of the audit capability, and system operation may be adversely affected. Audit processing failures include software/hardware errors, failures in the audit capturing mechanisms, and audit storage capacity being reached or exceeded. This requirement applies to each audit data storage repository (i.e., distinct information system component where audit records are stored), the centralized audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both. Satisfies: SRG-OS-000046-GPOS-00022, SRG-OS-000047-GPOS-00023
STIG Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide 2017-07-08

Details

Check Text ( C-72313r1_chk )
Confirm the audit configuration regarding how auditing processing failures are handled.

Check to see what level "auditctl" is set to with following command:

# auditctl -l | grep /-f
-f 2

If the value of "-f" is set to "2", the system is configured to panic (shut down) in the event of an auditing failure.

If the value of "-f" is set to "1", the system is configured to only send information to the kernel log regarding the failure.

If the "-f" flag is not set, this is a CAT I finding.

If the "-f" flag is set to any value other than "1" or "2", this is a CAT II finding.

If the "-f" flag is set to "1" but the availability concern is not documented or there is no monitoring of the kernel log, this is a CAT III finding.
Fix Text (F-78433r1_fix)
Configure the operating system to shut down in the event of an audit processing failure.

Add or correct the option to shut down the operating system with the following command:

# auditctl -f 2

If availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure with the following command:

# auditctl -f 1

Kernel log monitoring must also be configured to properly alert designated staff.

The audit daemon must be restarted for the changes to take effect.