STIGQter: STIG Summary: VMware vRealize Operations Manager 6.x SLES Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 28 Sep 2018:

The SLES for vRealize must provide an immediate real-time alert to the SA and ISSO, at a minimum, of all audit failure events requiring real-time alerts.

DISA Rule

SV-99319r1_rule

Vulnerability Number

V-88669

Group Title

SRG-OS-000344-GPOS-00135

Rule Version

VROM-SL-001045

Severity

CAT II

CCI(s)

• CCI-001858 - The information system provides a real-time alert in an organization-defined real-time period to organization-defined personnel, roles, and/or locations when organization-defined audit failure events requiring real-time alerts occur.

Weight

10

Fix Recommendation

Set the "space_left_action" parameter to the valid setting "SYSLOG", by running the following command:

# sed -i "/^[^#]*space_left_action/ c\admin_space_left_action = SYSLOG" /etc/audit/auditd.conf

Restart the audit service:

# service auditd restart

Check Contents

Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command:

# cat /etc/audit/auditd.conf | grep space_left_action

If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding

Expected Result:

space_left_action = SYSLOG

Notes:
If the "space_left_action" parameter is set to "exec" the system executes a designated script.

If this script informs the SA of the event, this is not a finding.

If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding.

The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Vulnerability Number

V-88669

Documentable

False

Rule Version

VROM-SL-001045

Severity Override Guidance

Check "/etc/audit/auditd.conf" file for the "space_left_action" parameter with the following command:

# cat /etc/audit/auditd.conf | grep space_left_action

If the "space_left_action" parameter is missing, set to "ignore", set to "suspend", set to "single", set to "halt", or is blank, this is a finding

Expected Result:

space_left_action = SYSLOG

Notes:
If the "space_left_action" parameter is set to "exec" the system executes a designated script.

If this script informs the SA of the event, this is not a finding.

If the "space_left_action" parameter is set to "email" and the "action_mail_acct" parameter is not set to the email address of the system administrator, this is a finding.

The "action_mail_acct" parameter, if missing, defaults to "root". Note that if the email address of the system administrator is on a remote system "sendmail" must be available.

Check Content Reference

M

Target Key

3461

Comments