GEN002730 - The audit system must alert the SA when the audit storage volume approaches its capacity - 'action_mail_account'

Information

An accurate and current audit trail is essential for maintaining a record of system activity. If the system fails, the SA must be notified and must take prompt action to correct the problem.

Minimally, the system must log this event and the SA will receive this notification during the daily system log review. If feasible, active alerting (such as e-mail or paging) should be employed consistent with the site's established operations management systems and procedures.

Solution

Edit /etc/audit/auditd.conf and set the space_left_action parameter to a valid setting other than 'ignore'. If the space_left_action parameter is set to 'email' set the action_mail_acct parameter to an e-mail address for the system administrator.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_5_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|II, CCI|CCI-000143, CCI|CCI-001855, Rule-ID|SV-218391r603259_rule, STIG-ID|GEN002730, STIG-Legacy|SV-64261, STIG-Legacy|V-22375, Vuln-ID|V-218391

Plugin: Unix

Control ID: 1c697391ad75c4e533b5406d4ce81c8092dd213ef84e680d2781a8295fac7387