ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.18k stars 695 forks source link

needs mapping/rule: SRG-OS-000342-GPOS-00133, SV-86711r2_rule, RHEL-07-030320 (audisp network failure) #1847

Closed shawndwells closed 6 years ago

shawndwells commented 7 years ago
SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 7DISADPMS TargetRed Hat 72777CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full.^M ^M Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:^M ^M disk_full_action = single^M ^M Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".Verify the action the operating system takes if the disk the audit records are written to becomes full.^M ^M To determine the action that takes place if the disk is full on the remote server, use the following command:^M ^M # grep -i disk_full_action /etc/audisp/audisp-remote.conf^M disk_full_action = single^M ^M To determine the action that takes place if the network connection fails, use the following command:^M ^M # grep -i network_failure_action /etc/audisp/audisp-remote.conf^M network_failure_action = stop^M ^M If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.^M ^M If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.
shawndwells commented 6 years ago

Completed previously.

ref: https://github.com/OpenSCAP/scap-security-guide/blob/master/shared/guide/system/auditing/configure_auditd_data_retention/auditd_audispd_disk_full_action.rule#L31