STIGQter: STIG Summary: VMware vRealize Automation 7.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

DISA Rule

SV-100139r1_rule

Vulnerability Number

V-89489

Group Title

SRG-OS-000046-GPOS-00022

Rule Version

VRAU-SL-000125

Severity

CAT II

CCI(s)

CCI-000139 - The information system alerts designated organization-defined personnel or roles in the event of an audit processing failure.

Weight

Fix Recommendation

Set the space_left_action parameter to the valid setting "SYSLOG" by running the following command:

# sed -i "/^[^#]*space_left_action/ c\space_left_action = SYSLOG" /etc/audit/auditd.conf

Restart the audit service:
# service auditd restart

Check Contents

Check /etc/audit/auditd.conf for the space_left_action with the following command:

# cat /etc/audit/auditd.conf | grep space_left_action

If the "space_left_action" parameter is missing; is set to "ignore", "suspend", "single", or "halt"; or is blank, this is a finding.

Expected Result:
space_left_action = SYSLOG

NOTES:

If the "space_left_action" is set to "exec", the system executes a designated script.

If this script informs the SA of the event, this is not a finding.

If the "space_left_action" is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding.

The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system, "sendmail" must be available.

The SLES for vRealize must alert the ISSO and SA (at a minimum) in the event of an audit processing failure.

DISA Rule

Vulnerability Number

Group Title

Rule Version

Severity

CCI(s)

Weight

Fix Recommendation

Check Contents

Vulnerability Number

Documentable

Rule Version

Severity Override Guidance

Check Content Reference

Target Key

Comments