Capacity
CCI-000140
Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.
13
Rule
Severity: Medium
Shutdown System When Auditing Failures Occur
59
Rule
Severity: Medium
Configure auditd Disk Error Action on Disk Error
59
Rule
Severity: Medium
Configure auditd Disk Full Action when Disk Space Is Full
30
Rule
Severity: Medium
Configure auditd admin_space_left Action on Low Disk Space
57
Rule
Severity: Medium
Configure auditd max_log_file_action Upon Reaching Maximum Log Size
2
Rule
Severity: Medium
AAA Services must be configured to generate audit records overwriting the oldest audit records in a first-in-first-out manner.
2
Rule
Severity: Medium
AAA Services must be configured to queue audit records locally until communication is restored when any audit processing failure occurs.
2
Rule
Severity: Medium
The ALG must shut down by default upon audit failure (unless availability is an overriding concern).
2
Rule
Severity: Medium
The application server must shut down by default upon log failure (unless availability is an overriding concern).
2
Rule
Severity: Medium
The application server must be configured to fail over to another system in the event of log subsystem failure.
2
Rule
Severity: Medium
The application must shut down by default upon audit failure (unless availability is an overriding concern).
1
Rule
Severity: Medium
The CA API Gateway must shut down by default upon audit failure (unless availability is an overriding concern).
1
Rule
Severity: Medium
In the event of a logging failure, caused by loss of communications with the central logging server, the DBN-6300 must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.
1
Rule
Severity: Medium
In the event of a logging failure caused by the lack of log record storage capacity, the DBN-6300 must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.
2
Rule
Severity: Medium
In the event that communication with the central audit server is lost, the firewall must continue to queue traffic log records locally.
1
Rule
Severity: Medium
In the event that communication with the central audit server is lost, the FortiGate firewall must continue to queue traffic log records locally.
1
Rule
Severity: Medium
CounterACT must use an Enterprise Manager or other high availability solution to ensure redundancy in case of audit failure in this critical network access control and security service.
1
Rule
Severity: Medium
Unless it has been determined that availability is paramount, DB2 must, upon audit failure, cease all auditable activity.
1
Rule
Severity: Medium
The MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure.
2
Rule
Severity: Medium
The WebSphere Liberty Server must be configured to offload logs to a centralized system.
1
Rule
Severity: Low
The WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern).
1
Rule
Severity: Low
The WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure.
2
Rule
Severity: Medium
In the event of a logging failure caused by the lack of audit record storage capacity, the IDPS must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.
2
Rule
Severity: Medium
In the event of a logging failure, caused by loss of communications with the central logging server, the IDPS must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.
2
Rule
Severity: Medium
In the event that communications with the Syslog server is lost, the Juniper SRX Services Gateway must continue to queue traffic log records locally.
2
Rule
Severity: Medium
The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.
2
Rule
Severity: Medium
The Mainframe Product must shut down by default upon audit failure (unless availability is an overriding concern).
1
Rule
Severity: Medium
Unless it has been determined that availability is paramount, SQL Server must shut down upon the failure of an Audit, or a Trace used for auditing purposes, to include the unavailability of space for more audit/trace log records.
1
Rule
Severity: High
Where availability is paramount, the SQL Server must continue processing (preferably overwriting existing records, oldest first), in the event of lack of space for more Audit/Trace log records; and must keep processing after any failure of an Audit/Trace.
1
Rule
Severity: Medium
Nutanix AOS must shut down by default upon audit failure (unless availability is an overriding concern).
1
Rule
Severity: Low
Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.
2
Rule
Severity: Medium
Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.
1
Rule
Severity: Medium
In the event of a logging failure, caused by loss of communications with the central logging server, the SMS must queue audit records locally by using the syslog over TCP protocol until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.
2
Rule
Severity: Medium
In the event of a logging failure caused by the lack of audit record storage capacity, the SMS must continue generating and storing audit records, overwriting the oldest audit records in a first-in-first-out manner using Audit Log maintenance.
1
Rule
Severity: Medium
Each NSX-T Edge Node configured to host a Tier-1 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure traffic log records.
1
Rule
Severity: Medium
The NSX-T Tier-0 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure communications with the central audit server.
4
Rule
Severity: Medium
The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).
2
Rule
Severity: Medium
The macOS system must configure system to shut down upon audit failure.
3
Rule
Severity: Medium
The macOS system must configure audit failure notification.
3
Rule
Severity: Medium
The Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern).
2
Rule
Severity: Medium
The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.
2
Rule
Severity: Medium
The Cisco ASA must be configured to queue log records locally In the event that the central audit server is down or not reachable.
2
Rule
Severity: Low
PostgreSQL must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.
2
Rule
Severity: Medium
PostgreSQL must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
2
Rule
Severity: Medium
The Cisco ISE must continue to queue traffic log records locally when communication with the central log server is lost and there is an audit archival failure. This is required for compliance with C2C Step 1.
2
Rule
Severity: Medium
The DBMS must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
2
Rule
Severity: Medium
The DBMS must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
2
Rule
Severity: Medium
The container platform must take appropriate action upon an audit failure.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
2
Rule
Severity: Medium
The EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.
6
Rule
Severity: Medium
The operating system must shut down by default upon audit failure (unless availability is an overriding concern).
2
Rule
Severity: Medium
IBM z/OS NOBUFFS in SMFPRMxx must be properly set (Default is MSG).
4
Rule
Severity: Medium
IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).
2
Rule
Severity: Medium
MarkLogic Server must shut down by default upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
2
Rule
Severity: Medium
MariaDB must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
2
Rule
Severity: Medium
MariaDB must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
2
Rule
Severity: Medium
MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.
2
Rule
Severity: Medium
SQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
2
Rule
Severity: Medium
SQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
1
Rule
Severity: Low
Windows Defender Firewall with Advanced Security log size must be configured for domain connections.
1
Rule
Severity: Low
Windows Defender Firewall with Advanced Security log size must be configured for private network connections.
1
Rule
Severity: Low
Windows Defender Firewall with Advanced Security log size must be configured for public network connections.
1
Rule
Severity: Medium
Disk space used by audit trail(s) must be monitored; audit records must be regularly or continuously offloaded to a centralized log management system.
2
Rule
Severity: Medium
The OL 8 System must take appropriate action when an audit processing failure occurs.
2
Rule
Severity: Medium
The OL 8 audit system must take appropriate action when the audit storage volume is full.
2
Rule
Severity: Medium
In the event of a logging failure caused by the lack of audit record storage capacity, the Palo Alto Networks security platform must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.
2
Rule
Severity: Medium
Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern).
2
Rule
Severity: Medium
Automation Controller must be configured to fail over to another system in the event of log subsystem failure.
2
Rule
Severity: Medium
Redis Enterprise DBMS must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
2
Rule
Severity: Medium
Redis Enterprise DBMS must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.
2
Rule
Severity: Medium
All audit records must generate the event results within OpenShift.
2
Rule
Severity: Medium
OpenShift must take appropriate action upon an audit failure.
2
Rule
Severity: Medium
The RHEL 8 System must take appropriate action when an audit processing failure occurs.
2
Rule
Severity: Medium
The RHEL 8 audit system must take appropriate action when the audit storage volume is full.
4
Rule
Severity: Medium
The SUSE operating system audit system must take appropriate action when the audit storage volume is full.
2
Rule
Severity: Medium
RHEL 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.
2
Rule
Severity: Medium
RHEL 9 audit system must take appropriate action when the audit storage volume is full.
2
Rule
Severity: Medium
RHEL 9 audit system must take appropriate action when the audit files have reached maximum size.
2
Rule
Severity: Medium
RHEL 9 must take appropriate action when a critical audit processing failure occurs.
2
Rule
Severity: Medium
The VMM must shut down by default upon audit failure (unless availability is an overriding concern).
1
Rule
Severity: Medium
The Photon operating system audit log must attempt to log audit failures to syslog.
1
Rule
Severity: Medium
VMware Postgres must be configured to overwrite older logs when necessary.
1
Rule
Severity: Medium
The EDB Postgres Advanced Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
1
Rule
Severity: High
The EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.
1
Rule
Severity: Medium
The macOS system must be configured to shut down upon audit failure.
1
Rule
Severity: Medium
Ubuntu 22.04 LTS must shut down by default upon audit failure.
1
Rule
Severity: Medium
PostgreSQL must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.
1
Rule
Severity: Medium
PostgreSQL must be configurable to overwrite audit log records, oldest first (first-in-first-out [FIFO]), in the event of unavailability of space for more audit log records.
1
Rule
Severity: Low
In the event that communication with the central audit server is lost, the F5 BIG-IP appliance must continue to queue traffic log records locally.
1
Rule
Severity: Medium
MKE must be configured to send audit data to a centralized log server.
1
Rule
Severity: Medium
MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.
1
Rule
Severity: Medium
SLEM 5 audit system must take appropriate action when the audit storage volume is full.
1
Rule
Severity: Medium
The TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.
1
Rule
Severity: Medium
TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.
1
Rule
Severity: Medium
TOSS must take appropriate action when an audit processing failure occurs.
Patternfly
PatternFly elements
The content of the drawer really is up to you. It could have form fields, definition lists, text lists, labels, charts, progress bars, etc. Spacing recommendation is 24px margins. You can put tabs in here, and can also make the drawer scrollable.
Modules