The SUSE operating system auditd service must notify the System Administrator (SA) and Information System Security Officer (ISSO) immediately when audit storage capacity is 75 percent full.
An XCCDF Rule
Description
<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-234969r877389_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Check the system configuration to determine the partition to which the audit records are written:
> sudo grep -iw log_file /etc/audit/auditd.conf
Determine the size of the partition to which audit records are written (e.g., "/var/log/audit/"):