tyler.durden
/
harbian-audit
mirror of https://github.com/hardenedlinux/harbian-audit.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add description for 8.1.1.9

This commit is contained in:
samson 2018-11-13 14:31:56 +08:00
parent 32de2245b6
commit 281104d323
1 changed files with 43 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
View File

@ -331,6 +331,49 @@ Configure the action the operating system takes if the network connection is fai
network_failure_action = syslog
```
## 8.1.1.9 Set space left for auditd service (scored)
### Profile Applicability
Level 4
### Description
The operating system must immediately notify the System Administrator (SA) and Information System Security Officer ISSO (at a minimum) when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity.
### Rationale
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
### Aduit
Verify the operating system immediately notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to with the following command:
```
# grep log_file /etc/audit/auditd.conf
log_file = /var/log/audit/audit.log
```
Check the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
```
# df -B 1m /var/log/audit/
Filesystem 1M-blocks Used Available Use% Mounted on
/dev/sda1 18015 2002 15076 12% /
```
Determine what the threshold is for the system to take action when 75 percent of the repository maximum audit record storage capacity is reached:
```
# grep -i space_left /etc/audit/auditd.conf
space_left = 225
```
If the value of the "space_left" keyword is not equal or greater to 25 percent of the total partition size, this is a finding.
### Remediation
Configure the operating system to immediately notify the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity. Check the system configuration to determine the partition the audit records are being written to:
```
# grep log_file /etc/audit/auditd.conf
```
Determine the size of the partition that audit records are written to (with the example being "/var/log/audit/"):
```
# df -B 1m /var/log/audit/
Filesystem 1M-blocks Used Available Use% Mounted on
/dev/sda1 18015 2002 15076 12% /
```
Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.
## 8.1.19 Recored ssh-keysign command usage (scored)
### Profile Applicability