SLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-261414 | SRG-OS-000343-GPOS-00134 | SLEM-05-653030 | SV-261414r996654_rule | 2024-06-04 | 1 |
| Description |
|---|
| If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. |
| ℹ️ Check |
|---|
| Determine if SLEM 5 auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity with the following command: > sudo grep -iw space_left /etc/audit/auditd.conf space_left = 25% If "space_left" is not set to "25%" or greater, this is a finding. |
| ✔️ Fix |
|---|
| Configure SLEM 5 auditd service to notify the SA and ISSO immediately when audit storage capacity is 75 percent full. Add or modify the following lines in the "/etc/audit/auditd.conf " file: space_left = 25% |