SLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-261414 | SLEM-05-653030 | SV-261414r996654_rule | CCI-001855 | medium |
| Description | ||||
| If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. | ||||
| STIG | Date | |||
| SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide | 2025-05-08 | |||
Details
Check Text (C-261414r996654_chk)
Determine if SLEM 5 auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity with the following command:
> sudo grep -iw space_left /etc/audit/auditd.conf
space_left = 25%
If "space_left" is not set to "25%" or greater, this is a finding.
Fix Text (F-65051r996108_fix)
Configure SLEM 5 auditd service to notify the SA and ISSO immediately when audit storage capacity is 75 percent full.
Add or modify the following lines in the "/etc/audit/auditd.conf " file:
space_left = 25%