Information
The auditing daemon, auditd stores log data in the /var/log/audit directory.
Note: When modifying /var/log/audit it is advisable to bring the system to emergency mode (so auditd is not running), rename the existing directory, mount the new file system, and migrate the data over before returning to multiuser mode.
There are two important reasons to ensure that data gathered by auditd is stored on a separate partition: protection against resource exhaustion (since the audit.log file can grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog ) consume space in the same partition as auditd it may not perform as desired.
Solution
For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit
For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.
Impact:
Resizing filesystems is a common activity in cloud-hosted servers. Separate filesystem partitions may prevent successful resizing, or may require the installation of additional tools solely for the purpose of resizing operations. The use of these additional tools may introduce their own security considerations.
Item Details
Category: AUDIT AND ACCOUNTABILITY, CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION
References: 800-53|AU-4, 800-53|CM-1, 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|6.4
Control ID: ab510c1258880b3f54280bf2c9b303c18af2e8c42667b812e77a8c1f5148cbb8