The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

An XCCDF Rule

Description

<VulnDiscussion>If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258845r935564_rule
Severity: Low
References: CCI-001855
Updated: 17 days ago

Navigate to and open:

/etc/audit/auditd.conf

Ensure the "space_left" and "space_left_action" lines are uncommented and set to the following:
space_left = 25%
space_left_action = SYSLOG

At the command line, run the following command:

# pkill -SIGHUP auditd

The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.

Description

Remediation - Manual Procedure