STIGQter STIGQter: STIG Summary: Oracle Linux 7 Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

The Oracle Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.

DISA Rule

SV-221776r603260_rule

Vulnerability Number

V-221776

Group Title

SRG-OS-000343-GPOS-00134

Rule Version

OL07-00-030350

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Configure the operating system to immediately notify the SA and ISSO (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached.

Uncomment or edit the "action_mail_acct" keyword in "/etc/audit/auditd.conf" and set it to root and any other accounts associated with security personnel.

action_mail_acct = root

Check Contents

Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.

Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:

# grep -i action_mail_acct /etc/audit/auditd.conf
action_mail_acct = root

If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.

Vulnerability Number

V-221776

Documentable

False

Rule Version

OL07-00-030350

Severity Override Guidance

Verify the operating system immediately notifies the SA and ISSO (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.

Check what account the operating system emails when the threshold for the repository maximum audit record storage capacity is reached with the following command:

# grep -i action_mail_acct /etc/audit/auditd.conf
action_mail_acct = root

If the value of the "action_mail_acct" keyword is not set to "root" and other accounts for security personnel, this is a finding.

Check Content Reference

M

Target Key

4089

Comments