CCI-000140

Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.

15 rules found Severity: Medium

63 rules found Severity: Medium

64 rules found Severity: Medium

60 rules found Severity: Medium

8 rules found Severity: Medium

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: High

1 rule found Severity: Low

1 rule found Severity: Medium

1 rule found Severity: Low

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

2 rules found Severity: Medium

1 rule found Severity: Medium

CCI-000140

Shutdown System When Auditing Failures Occur

Configure auditd Disk Error Action on Disk Error

Configure auditd Disk Full Action when Disk Space Is Full

Configure auditd max_log_file_action Upon Reaching Maximum Log Size

Configure auditd admin_space_left Action on Low Disk Space

The CA API Gateway must shut down by default upon audit failure (unless availability is an overriding concern).

In the event of a logging failure, caused by loss of communications with the central logging server, the DBN-6300 must queue audit records locally until communication is restored or until the audit records are retrieved manually or using automated synchronization tools.

In the event of a logging failure caused by the lack of log record storage capacity, the DBN-6300 must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.

In the event that communication with the central audit server is lost, the FortiGate firewall must continue to queue traffic log records locally.

CounterACT must use an Enterprise Manager or other high availability solution to ensure redundancy in case of audit failure in this critical network access control and security service.

Unless it has been determined that availability is paramount, DB2 must, upon audit failure, cease all auditable activity.

The MQ Appliance messaging server must be configured to fail over to another system in the event of log subsystem failure.

The WebSphere Application Server must shut down by default upon log failure (unless availability is an overriding concern).

The WebSphere Application Server high availability applications must be configured to fail over to another system in the event of log subsystem failure.

Unless it has been determined that availability is paramount, SQL Server must shut down upon the failure of an Audit, or a Trace used for auditing purposes, to include the unavailability of space for more audit/trace log records.

Where availability is paramount, the SQL Server must continue processing (preferably overwriting existing records, oldest first), in the event of lack of space for more Audit/Trace log records; and must keep processing after any failure of an Audit/Trace.

Nutanix AOS must shut down by default upon audit failure (unless availability is an overriding concern).

Oracle WebLogic must notify administrative personnel as a group in the event of audit processing failure.

Each NSX-T Edge Node configured to host a Tier-1 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure traffic log records.

The NSX-T Tier-0 Gateway Firewall must be configured to use the TLS or LI-TLS protocols to configure and secure communications with the central audit server.

The macOS system must shut down by default upon audit failure (unless availability is an overriding concern).

The Ubuntu operating system must shut down by default upon audit failure (unless availability is an overriding concern).

MongoDB must provide audit record generation for DoD-defined auditable events within all DBMS/database components.

Windows Defender Firewall with Advanced Security log size must be configured for domain connections.

Windows Defender Firewall with Advanced Security log size must be configured for private network connections.

Windows Defender Firewall with Advanced Security log size must be configured for public network connections.

Disk space used by audit trail(s) must be monitored; audit records must be regularly or continuously offloaded to a centralized log management system.

The EDB Postgres Advanced Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

The EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.

PostgreSQL must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.

PostgreSQL must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

PostgreSQL must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

PostgreSQL must be configurable to overwrite audit log records, oldest first (first-in-first-out [FIFO]), in the event of unavailability of space for more audit log records.

The Cisco ASA must be configured to queue log records locally in the event that the central audit server is down or not reachable.

The Cisco ASA must be configured to queue log records locally In the event that the central audit server is down or not reachable.

The Cisco ISE must continue to queue traffic log records locally when communication with the central log server is lost and there is an audit archival failure. This is required for compliance with C2C Step 1.

The EDB Postgres Advanced Server must, by default, shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

The EDB Postgres Advanced Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.

In the event that communication with the central audit server is lost, the F5 BIG-IP appliance must continue to queue traffic log records locally.

The WebSphere Liberty Server must be configured to offload logs to a centralized system.

MarkLogic Server must shut down by default upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

MKE must be configured to send audit data to a centralized log server.

MongoDB must provide audit record generation for DOD-defined auditable events within all DBMS/database components.

Redis Enterprise DBMS must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

Redis Enterprise DBMS must be configurable to overwrite audit log records, oldest first (First-In-First-Out [FIFO]), in the event of unavailability of space for more audit log records.

Rancher MCM must generate audit records for all DoD-defined auditable events within all components in the platform.

Automation Controller must allocate log record storage capacity and shut down by default upon log failure (unless availability is an overriding concern).

Automation Controller must be configured to fail over to another system in the event of log subsystem failure.

SLEM 5 audit system must take appropriate action when the audit storage volume is full.

The TPS must provide audit record generation capability for detection events based on implementation of policy filters, rules, signatures, and anomaly analysis.

In the event of a logging failure caused by the lack of audit record storage capacity, the SMS must continue generating and storing audit records, overwriting the oldest audit records in a first-in-first-out manner using Audit Log maintenance.

TOSS audit records must contain information to establish what type of events occurred, when the events occurred, the source of events, where events occurred, and the outcome of events.

TOSS must take appropriate action when an audit processing failure occurs.

The NixOS audit system must take appropriate action when the audit storage volume is full.

The NixOS audit system must take appropriate action when an audit processing failure occurs.

The macOS system must configure system to shut down upon audit failure.

The macOS system must configure audit failure notification.

The macOS system must be configured to shut down upon audit failure.

The application must shut down by default upon audit failure (unless availability is an overriding concern).

Ubuntu 22.04 LTS must shut down by default upon audit failure.

AlmaLinux OS 9 audit system must take appropriate action when an error writing to the audit storage volume occurs.

AlmaLinux OS 9 audit system must take appropriate action when the audit storage volume is full.

AlmaLinux OS 9 must take appropriate action when a critical audit processing failure occurs.

AlmaLinux OS 9 audit system must make full use of the audit storage space.

AlmaLinux OS 9 audit system must take appropriate action when the audit files have reached maximum size.

AlmaLinux OS 9 audit system must retain an optimal number of audit records.

IBM z/OS NOBUFFS in SMFPRMxx must be properly set (Default is MSG).

IBM z/OS NOBUFFS in SMFPRMxx must be properly set (default is MSG).

In the event that communications with the Syslog server is lost, the Juniper SRX Services Gateway must continue to queue traffic log records locally.

The Juniper SRX Services Gateway must generate an alert message to the management console and generate a log event record that can be forwarded to the ISSO and designated system administrators when accounts are disabled.

MariaDB must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

MariaDB must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.

SQL Server must by default shut down upon audit failure, to include the unavailability of space for more audit log records; or must be configurable to shut down upon audit failure.

SQL Server must be configurable to overwrite audit log records, oldest first (First-In-First-Out - FIFO), in the event of unavailability of space for more audit log records.

The OL 8 System must take appropriate action when an audit processing failure occurs.

The OL 8 audit system must take appropriate action when the audit storage volume is full.

All audit records must generate the event results within OpenShift.

OpenShift must take appropriate action upon an audit failure.

In the event of a logging failure caused by the lack of audit record storage capacity, the Palo Alto Networks security platform must continue generating and storing audit records if possible, overwriting the oldest audit records in a first-in-first-out manner.