STIGQter STIGQter: STIG Summary: SLES 12 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The SUSE operating system audit system must take appropriate action when the audit storage volume is full.

DISA Rule

SV-217196r603262_rule

Vulnerability Number

V-217196

Group Title

SRG-OS-000047-GPOS-00023

Rule Version

SLES-12-020060

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the SUSE operating system to shut down by default upon audit failure (unless availability is an overriding concern).

Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG", "SINGLE", or "HALT" depending on configuration) in "/etc/audit/auditd.conf" file:

disk_full_action = HALT

Check Contents

Verify the SUSE operating system takes the appropriate action when the audit storage volume is full.

Check that the SUSE operating system takes the appropriate action when the audit storage volume is full with the following command:

# sudo grep disk_full_action /etc/audit/auditd.conf

disk_full_action = SYSLOG

If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.

Vulnerability Number

V-217196

Documentable

False

Rule Version

SLES-12-020060

Severity Override Guidance

Verify the SUSE operating system takes the appropriate action when the audit storage volume is full.

Check that the SUSE operating system takes the appropriate action when the audit storage volume is full with the following command:

# sudo grep disk_full_action /etc/audit/auditd.conf

disk_full_action = SYSLOG

If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.

Check Content Reference

M

Target Key

4033

Comments