NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.

An XCCDF Rule

Description

If security personnel are not notified immediately when storage volume reaches 90 percent utilization, they are unable to plan for audit record storage capacity expansion.

ID: SV-268102r1039601_rule
Version: ANIX-00-000410
Severity: Medium
References: CCI-000139
Updated: about 2 months ago

Remediation Templates

Configure NixOS to initiate an action to notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 90 percent of the repository maximum audit record storage capacity.

If the space_left_action parameter is set to "syslog", make sure the event being logged generates a notification to the SA and ISSO.

If the space_left_action parameter is set to "exec", make sure the command being execute notifies the SA and ISSO.
If the space_left_action parameter is set to "email" set the action_mail_acct parameter to an email address for the SA and ISSO.

Add or update the 'environment.etc."audit/auditd.conf".text' configuration in /etc/nixos/configuration.nix to include the following:

  admin_space_left_action = syslog

For example, an updated configuration of 'environment.etc."audit/auditd.conf".text' would look like the following in /etc/nixos/configuration.nix ('...' denoting that the 'environment.etc."audit/auditd.conf".text' configuration may have other options configured):

 environment.etc."audit/auditd.conf".text = [
  ''
   ...
   admin_space_left_action = syslog
   ...
  
 ''
];

Rebuild the NixOS configuration with the following command:

$ sudo nixos-rebuild switch

NixOS must notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 90 percent utilization.

Description

Remediation Templates

A Manual Procedure