STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:SV-230391r627750_rule
V-230391
SRG-OS-000047-GPOS-00023
RHEL-08-030050
CAT II
10
Configure RHEL 8 to notify the System Administrator (SA) and Information System Security Officer (ISSO) when the audit storage volume is full by configuring the "max_log_file_action" parameter in the "/etc/audit/auditd.conf" file with the a value of "syslog" or "keep_logs":
max_log_file_action=syslog
Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.
Check which action RHEL 8 takes when the audit storage volume is full with the following command:
$ sudo grep max_log_file_action /etc/audit/auditd.conf
max_log_file_action=syslog
If the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.
V-230391
False
RHEL-08-030050
Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.
Check which action RHEL 8 takes when the audit storage volume is full with the following command:
$ sudo grep max_log_file_action /etc/audit/auditd.conf
max_log_file_action=syslog
If the value of the "max_log_file_action" option is set to "ignore", "rotate", or "suspend", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action, this is a finding.
M
2921