The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-77293 | SLES-12-020030 | SV-91989r1_rule | Medium |
| Description |
|---|
| If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. |
| STIG | Date |
|---|---|
| SLES 12 Security Technical Implementation Guide | 2018-09-27 |
Details
| Check Text ( C-76849r1_chk ) |
|---|
| Determine if the SUSE operating system auditd is configured to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit record storage volume reaches 75 percent of the storage capacity: # sudo grep space_left /etc/audit/auditd.conf space_left = 75 If "space_left" is not set to "75", this is a finding. |
| Fix Text (F-83935r1_fix) |
|---|
| Edit the SUSE operating system "/etc/audit/auditd.conf" by adding or editing the following line: space_left = 75 |