UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Audispd must take appropriate action when the SUSE operating system audit storage is full.


Overview

Finding ID Version Rule ID IA Controls Severity
V-217201 SLES-12-020110 SV-217201r854106_rule Medium
Description
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
STIG Date
SLES 12 Security Technical Implementation Guide 2023-03-06

Details

Check Text ( C-18429r369759_chk )
Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full.

Check that the records are properly off-loaded to a remote server with the following command:

# sudo grep -i "disk_full_action" /etc/audisp/audisp-remote.conf
disk_full_action = syslog

If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.
Fix Text (F-18427r369760_fix)
Configure the SUSE operating system to take the appropriate action if the audit storage is full.

Add, edit, or uncomment the "disk_full_action" option in "/etc/audisp/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below:

disk_full_action = syslog