SLES-12-020030 - The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.

Information

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Solution

Check the system configuration to determine the partition to which the audit records are written:

# grep -iw log_file /etc/audit/auditd.conf

Determine the size of the partition to which audit records are written (e.g., '/var/log/audit/'):

# df -h /var/log/audit/

Set the value of the 'space_left' keyword in '/etc/audit/auditd.conf' to 25 percent of the partition size.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_SLES_12_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-217193r505931_rule, STIG-ID|SLES-12-020030, STIG-Legacy|SV-91989, STIG-Legacy|V-77293, Vuln-ID|V-217193

Plugin: Unix

Control ID: 0498a98c5e50a25cbd05b1e1a44a6fbc6859e5010b42a63494aca30e88510df5