STIGQter: STIG Summary: Oracle Linux 6 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The audit system must take appropriate action when the audit storage volume is full.

DISA Rule

SV-209058r603263_rule

Vulnerability Number

V-209058

Group Title

SRG-OS-000047

Rule Version

OL6-00-000510

Severity

CAT II

CCI(s)

• CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Weight

10

Fix Recommendation

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:

disk_full_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"exec"
"suspend"
"single"
"halt"

Set this to "syslog", "exec", "single", or "halt".

Check Contents

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full:

# grep disk_full_action /etc/audit/auditd.conf
disk_full_action = [ACTION]

If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.

Vulnerability Number

V-209058

Documentable

False

Rule Version

OL6-00-000510

Severity Override Guidance

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full:

# grep disk_full_action /etc/audit/auditd.conf
disk_full_action = [ACTION]

If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.

Check Content Reference

M

Target Key

2928

Comments