The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-89787	VRAU-SL-001070	SV-100437r1_rule		Medium

Description
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

Description

It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less).

STIG	Date
VMware vRealize Automation 7.x SLES Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-89479r1_chk )
Check "/etc/audit/auditd.conf" for the "space_left_action" with the following command: # cat /etc/audit/auditd.conf \| grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding. Expected Result: space_left_action = SYSLOG NOTES: If the "space_left_action" is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct parameter", if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Check Text ( C-89479r1_chk )

Check "/etc/audit/auditd.conf" for the "space_left_action" with the following command:

# cat /etc/audit/auditd.conf | grep space_left_action

If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding.

Expected Result:
space_left_action = SYSLOG

NOTES:
If the "space_left_action" is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding.

If the "space_left_action" is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding.

The "action_mail_acct parameter", if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Fix Text (F-96529r1_fix)
Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart