UBTU-16-020021 - The Ubuntu operating system must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Information

If security personnel are not notified immediately when storage volume reaches 75% utilization, they are unable to plan for audit record storage capacity expansion.

Solution

Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.

Check the system configuration to determine the partition the audit records are being written to:

# grep log_file /etc/audit/auditd.conf

Determine the size of the partition that audit records are written to (with the example being '/var/log/audit/'):

# df -h /var/log/audit/

Set the value of the 'space_left' keyword in '/etc/audit/auditd.conf' to 25% of the partition size.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_16-04_LTS_V2R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-215035r508033_rule, STIG-ID|UBTU-16-020021, STIG-Legacy|SV-95673, STIG-Legacy|V-80961, Vuln-ID|V-215035

Plugin: Unix

Control ID: 121b5cc57925f1c1ea04754347f9711e74d38258aebd3f1c14ff0be5db1cb56b