{"description": "The <tt>auditd</tt> service can be configured to take an action\nwhen there is a disk error.\nEdit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line,\nsubstituting <i>ACTION</i> appropriately:\n<pre>disk_error_action = <i>ACTION</i></pre>\nSet this value to <tt>single</tt> to cause the system to switch to single-user\nmode for corrective action. Acceptable values also include <tt>syslog</tt>,\n<tt>exec</tt>, <tt>single</tt>, and <tt>halt</tt>. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values for <i>ACTION</i> are described in the\n<tt>auditd.conf</tt> man page.", "rationale": "Taking appropriate action in case of disk errors will minimize the possibility of\nlosing audit records.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8"], "cobit5": ["APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI04.04", "BAI08.02", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.04", "DSS05.07", "MEA02.01"], "isa-62443-2009": ["4.2.3.10", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1", "SR 7.1", "SR 7.2"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.17.2.1"], "nist": ["AU-5(b)", "AU-5(2)", "AU-5(1)", "AU-5(4)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "PR.DS-4", "PR.PT-1", "RS.AN-1", "RS.AN-4"], "srg": ["SRG-OS-000047-GPOS-00023"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "there is no evidence of appropriate action", "ocil": "Verify Ubuntu 22.04 takes the appropriate action when an audit processing failure occurs.\n\nCheck that Ubuntu 22.04 takes the appropriate action when an audit processing failure occurs with the following command:\n\n$ sudo grep disk_error_action /etc/audit/auditd.conf\n\ndisk_error_action = HALT\n\nIf the value of the \"disk_error_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to shut down by default upon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (\"disk_error_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on configuration) in \"/etc/audit/auditd.conf\" file:\n\ndisk_error_action = HALT\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure Ubuntu 22.04 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the \"disk_error_action\" to \"SYSLOG\".", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 audit system must take appropriate action when an error writing to the audit storage volume occurs.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "The Ubuntu 22.04 audit system must take appropriate action when an error writing to the audit storage volume occurs.", "vuldiscussion": "It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.", "checktext": "Verify Ubuntu 22.04 takes the appropriate action when an audit processing failure occurs.\n\nCheck that Ubuntu 22.04 takes the appropriate action when an audit processing failure occurs with the following command:\n\n$ sudo grep disk_error_action /etc/audit/auditd.conf\n\ndisk_error_action = HALT\n\nIf the value of the \"disk_error_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs.  If there is no evidence of appropriate action, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to shut down by default upon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (depending on configuration \"disk_error_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on configuration) in \"/etc/audit/auditd.conf\" file:\n\ndisk_error_action = HALT\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the \"disk_error_action\" to \"SYSLOG\"."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Configure auditd Disk Error Action on Disk Error", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action_stig/rule.yml", "template": null}