← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-22374

CAT III (Low)

The audit system must alert the SA in the event of an audit processing failure.

Rule ID

SV-45285r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000139

Discussion

An accurate and current audit trail is essential for maintaining a record of system activity. If the system fails, the SA must be notified and must take prompt action to correct the problem. Minimally, the system must log this event and the SA will receive this notification during the daily system log review. If feasible, active alerting (such as e-mail or paging) should be employed consistent with the site’s established operations management systems and procedures.

Check Content

Verify the /etc/audit/auditd.conf has the disk_full_action and disk_error_action parameters set.

Procedure:
# grep disk_full_action /etc/audit/auditd.conf

If the disk_full_action parameter is missing or set to "suspend" or "ignore" this is a finding.

# grep disk_error_action /etc/audit/auditd.conf

If the disk_error_action parameter is missing or set to "suspend" or "ignore" this is a finding.

Fix Text

Edit /etc/audit/auditd.conf and set the disk_full_action and/or disk_error_action parameters to a valid setting of "syslog", "exec", "single" or "halt", adding the parameters if necessary.