4.1.2.4 Ensure system notification is sent out when volume is 75% full - SA and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Information

The operating system must initiate an action to notify the Authorizing Official, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Rationale:

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Solution

Configure the operating system to initiate an action to notify the Authorizing Official (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
Check the system configuration to determine the partition the audit records are being written to:

# grep -iw log_file /etc/audit/auditd.conf

Determine the size of the partition that audit records are written to (with the example being /var/log/audit/):

# df -h /var/log/audit/

Set the value of the space_left keyword in /etc/audit/auditd.conf to 75 percent of the partition size.
Example: vim /etc/audit/auditd.conf
Add the line with space_left set to 75% or the partition size.
Example:

space_left = 225

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CCI|CCI-001855, CSCv7|6.2, Rule-ID|SV-204513r744112_rule, STIG-ID|RHEL-07-030330

Plugin: Unix

Control ID: 1e292c17e822cb23a58ba937128761aaf6a7e9c38b01ba8cf9ecf124e4bcc6d0