STIGQter STIGQter: STIG Summary: VMware vRealize Automation 7.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

DISA Rule

SV-100437r1_rule

Vulnerability Number

V-89787

Group Title

SRG-OS-000344-GPOS-00135

Rule Version

VRAU-SL-001070

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command:

# sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf

Restart the audit service:

# service auditd restart

Check Contents

Check "/etc/audit/auditd.conf" for the "space_left_action" with the following command:

# cat /etc/audit/auditd.conf | grep space_left_action

If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding.

Expected Result:
space_left_action = SYSLOG

NOTES:
If the "space_left_action" is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding.

If the "space_left_action" is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding.

The "action_mail_acct parameter", if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Vulnerability Number

V-89787

Documentable

False

Rule Version

VRAU-SL-001070

Severity Override Guidance

Check "/etc/audit/auditd.conf" for the "space_left_action" with the following command:

# cat /etc/audit/auditd.conf | grep space_left_action

If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding.

Expected Result:
space_left_action = SYSLOG

NOTES:
If the "space_left_action" is set to "exec" the system executes a designated script. If this script informs the SA of the event, this is not a finding.

If the "space_left_action" is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding.

The "action_mail_acct parameter", if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Check Content Reference

M

Target Key

3459

Comments