STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

The SLES for vRealize must shut down by default upon audit failure (unless availability is an overriding concern).

DISA Rule

SV-99031r1_rule

Vulnerability Number

V-88381

Group Title

SRG-OS-000047-GPOS-00023

Rule Version

VROM-SL-000130

Severity

CAT II

CCI(s)

• CCI-000140 - The information system takes organization-defined actions upon audit failure (e.g., shut down information system, overwrite oldest audit records, stop generating audit records).

Weight

10

Fix Recommendation

Edit /etc/audit/auditd.conf and set the "disk_full_action", "disk_error_action", and "admin_space_left_action" parameters to "syslog" with the following commands:

# sed -i "/^[^#]*disk_full_action/ c\disk_full_action = SYSLOG" /etc/audit/auditd.conf
# sed -i "/^[^#]*disk_error_action/ c\disk_error_action = SYSLOG" /etc/audit/auditd.conf
# sed -i "/^[^#]*admin_space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf

For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.

Check Contents

Verify the /etc/audit/auditd.conf has the "disk_full_action", "disk_error_action", and "admin_disk_space_left" parameters set.

# grep disk_full_action /etc/audit/auditd.conf

If the "disk_full_action" parameter is missing or set to "suspend" or "ignore", this is a finding.

# grep disk_error_action /etc/audit/auditd.conf

If the "disk_error_action" parameter is missing or set to "suspend" or "ignore", this is a finding.

# grep admin_space_left_action /etc/audit/auditd.conf

If the "admin_space_left_action" parameter is missing or set to "suspend" or "ignore", this is a finding.

Vulnerability Number

V-88381

Documentable

False

Rule Version

VROM-SL-000130

Severity Override Guidance

Verify the /etc/audit/auditd.conf has the "disk_full_action", "disk_error_action", and "admin_disk_space_left" parameters set.

# grep disk_full_action /etc/audit/auditd.conf

If the "disk_full_action" parameter is missing or set to "suspend" or "ignore", this is a finding.

# grep disk_error_action /etc/audit/auditd.conf

If the "disk_error_action" parameter is missing or set to "suspend" or "ignore", this is a finding.

# grep admin_space_left_action /etc/audit/auditd.conf

If the "admin_space_left_action" parameter is missing or set to "suspend" or "ignore", this is a finding.

Check Content Reference

M

Target Key

3461

Comments