Skip to content

The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.

An XCCDF Rule

Description

<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-217193r877389_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

Check the system configuration to determine the partition to which the audit records are written: 

# grep -iw log_file /etc/audit/auditd.conf

Determine the size of the partition to which audit records are written (e.g., "/var/log/audit/"):