SLEM 5 auditd service must notify the system administrator (SA) and information system security officer (ISSO) immediately when audit storage capacity is 75 percent full.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-261414 | SLEM-05-653030 | SV-261414r996654_rule | CCI-001855 | medium |
| Description | ||||
| If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion. | ||||
| STIG | Date | |||
| SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide | 2025-05-08 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AU-5(1)
1.00
- DISA · 1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001855
1.00
- DISA · 1 · disa_xccdf · related
Details
Check Text (C-261414r996654_chk)
Determine if SLEM 5 auditd is configured to notify the SA and ISSO when the audit record storage volume reaches 75 percent of the storage capacity with the following command:
> sudo grep -iw space_left /etc/audit/auditd.conf
space_left = 25%
If "space_left" is not set to "25%" or greater, this is a finding.
Fix Text (F-65051r996108_fix)
Configure SLEM 5 auditd service to notify the SA and ISSO immediately when audit storage capacity is 75 percent full.
Add or modify the following lines in the "/etc/audit/auditd.conf " file:
space_left = 25%