Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-240505 | VRAU-SL-001070 | SV-240505r852566_rule | Medium |
Description |
---|
It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected. Alerts provide organizations with urgent messages. Real-time alerts provide these messages immediately (i.e., the time from event detection to alert occurs in seconds or less). |
STIG | Date |
---|---|
VMware vRealize Automation 7.x SLES Security Technical Implementation Guide | 2023-09-22 |
Check Text ( C-43738r671254_chk ) |
---|
Check "/etc/audit/auditd.conf" for the "space_left_action" with the following command: # cat /etc/audit/auditd.conf | grep space_left_action If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding. Expected Result: space_left_action = SYSLOG NOTES: If the "space_left_action" is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding. If the "space_left_action" is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding. The "action_mail_acct parameter", if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available. |
Fix Text (F-43697r671255_fix) |
---|
Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command: # sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf Restart the audit service: # service auditd restart |