Nutanix OS must immediately notify the system administrator (SA) and information system security officer (ISSO) (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-279568 | NXAC-OS-000091 | SV-279568r1192085_rule | CCI-001855 | low |
| Description | ||||
| If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capacity expansion. | ||||
| STIG | Date | |||
| Nutanix Acropolis GPOS Security Technical Implementation Guide | 2026-02-24 | |||
Details
Check Text (C-279568r1192085_chk)
1. Verify Nutanix OS is configured to act when allocated audit record storage volume reaches 75 percent utilization using the following command.
$ sudo grep -w space_left /etc/audit/auditd.conf
space_left = 25%
If the value of the "space_left" keyword is not set to "25%", or is commented out, this is a finding.
2. Run the following command.
$ sudo grep -w space_left_action /etc/audit/auditd.conf
space_left_action = SYSLOG
If the value of the "space_left_action" is not set to "SYSLOG" or is commented out, this is a finding.
Fix Text (F-84026r1191667_fix)
1. For AOS, configure the audit rules.
$ sudo salt-call state.sls security/CVM/auditCVM
2. For Prism Central, configure the audit rules.
$ sudo salt-call state.sls security/PCVM/auditPCVM
3. For Files, configure the audit rules.
$ sudo salt-call state.sls security/AFS/auditAFS
4. For AHV, configure the audit rules.
$ sudo salt-call state.sls security/KVM/auditKVM