{"description": "Audit logs are stored in the <tt>/var/log/audit</tt> directory.\n\nEnsure that <code>/var/log/audit</code> has its own partition or logical\nvolume at installation time, or migrate it using LVM.\nMake absolutely certain that it is large enough to store all\naudit logs that will be created by the auditing daemon.", "rationale": "Placing <tt>/var/log/audit</tt> in its own partition\nenables better separation between audit files\nand other files, and helps ensure that\nauditing cannot be halted due to the partition running out\nof space.", "severity": "low", "references": {"cis-csc": ["1", "12", "13", "14", "15", "16", "2", "3", "5", "6", "8"], "cobit5": ["APO11.04", "APO13.01", "BAI03.05", "BAI04.04", "DSS05.02", "DSS05.04", "DSS05.07", "MEA02.01"], "hipaa": ["164.312(a)(2)(ii)"], "isa-62443-2009": ["4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 7.1", "SR 7.2", "SR 7.6"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.17.2.1"], "nerc-cip": ["CIP-007-3 R6.5"], "nist": ["CM-6(a)", "AU-4", "SC-5(2)"], "nist-csf": ["PR.DS-4", "PR.PT-1", "PR.PT-4"], "ospp": ["FMT_SMF_EXT.1"], "srg": ["SRG-OS-000341-GPOS-00132", "SRG-OS-000480-GPOS-00227", "SRG-APP-000357-CTR-000800"], "anssi": ["R71"], "cis": ["1.1.2.7.1"]}, "control_references": {"anssi": ["R71"], "cis": ["1.1.2.7.1"]}, "components": [], "identifiers": {}, "ocil_clause": "\"/var/log/audit is not a mountpoint\" is returned", "ocil": "Verify that a separate file system/partition has been created for <code>/var/log/audit</code> with the following command:\n\n<pre>$ mountpoint /var/log/audit</pre>\n", "oval_external_content": null, "fixtext": "Migrate the system audit data path onto a separate file system.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must use a separate file system for the system audit data path.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must use a separate file system for the system audit data path.", "vuldiscussion": "Placing \"/var/log/audit\" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing cannot be halted due to the partition running out of space.", "checktext": "Verify that a separate file system/partition has been created for the system audit data path with the following command:\n\nNote: /var/log/audit is used as the example as it is a common location.\n\n$ mount | grep /var/log/audit\n\n/dev/mapper/rootvg-varlogaudit on /var/log/audit type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)\nNote: Options displayed for mount may differ.\n\nIf no line is returned, this is a finding.", "fixtext": "Migrate the system audit data path onto a separate file system."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["not container"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["not_container"], "bash_conditional": null, "fixes": {}, "title": "Ensure /var/log/audit Located On Separate Partition", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/software/disk_partitioning/partition_for_var_log_audit/rule.yml", "template": {"name": "mount", "vars": {"mountpoint": "/var/log/audit", "min_size": 10737418240}, "backends": {}}}