{"description": "The Ubuntu 22.04 operating system must allocate audit record storage\ncapacity to store at least one weeks worth of audit records when audit\nrecords are not immediately sent to a central audit record storage\nfacility.\n\nThe partition size needed to capture a week's worth of audit records is\nbased on the activity level of the system and the total storage capacity\navailable.\n\n\nDetermine which partition the audit records are being written to with the\nfollowing command:\n\n<pre>$ sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log</pre>\n\nCheck the size of the partition that audit records are written to with the\nfollowing command:\n\n<pre>$ sudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit</pre>", "rationale": "Information stored in one location is vulnerable to accidental or incidental\ndeletion or alteration. Off-loading is a common process in information\nsystems with limited audit storage capacity.", "severity": "medium", "references": {"srg": ["SRG-OS-000341-GPOS-00132", "SRG-OS-000342-GPOS-00133"], "stigid": ["UBTU-22-653035"], "stigref": ["SV-260595r958752_rule"]}, "control_references": {"stigid": ["UBTU-22-653035"]}, "components": [], "identifiers": {}, "ocil_clause": "audispd is not sending logs to a remote system and the local partition has inadequate space", "ocil": "To verify whether audispd plugin off-loads audit records onto a different\nsystem or media from the system being audited, run the following command:\n\n<pre>$ sudo grep -i remote_server /etc/audit/audisp-remote.conf</pre>\n\nThe output should return something similar to where <i>REMOTE_SYSTEM</i>\nis an IP address or hostname:\n<pre>remote_server = <i>REMOTE_SYSTEM</i></pre>\n\nDetermine which partition the audit records are being written to with the\nfollowing command:\n\n<pre>$ sudo grep log_file /etc/audit/auditd.conf\nlog_file = /var/log/audit/audit.log</pre>\n\nCheck the size of the partition that audit records are written to with the\nfollowing command and verify whether it is sufficiently large:\n\n<pre>$ sudo df -h /var/log/audit/\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit</pre>", "oval_external_content": null, "fixtext": "Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nIf audit records are stored on a partition made specifically for audit records, resize the partition with sufficient space to contain one week of audit records.\n\nIf audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created.", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must allocate enough storage capacity for at least one week of audit records.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must allocate audit record storage capacity to store at least one week's worth of audit records.", "vuldiscussion": "To ensure Ubuntu 22.04 systems have a sufficient storage capacity in which to write the audit logs, Ubuntu 22.04 needs to be able to allocate audit record storage capacity.\n\nThe task of allocating audit record storage capacity is usually performed during initial installation of Ubuntu 22.04.", "checktext": "Verify Ubuntu 22.04 allocates audit record storage capacity to store at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nNote: The partition size needed to capture a week of audit records is based on the activity level of the system and the total storage capacity available. Typically 10.0GB of storage space for audit records should be sufficient.\n\nDetermine which partition the audit records are being written to with the following command:\n\n$ sudo grep -w log_file /etc/audit/auditd.conf\n\nlog_file = /var/log/audit/audit.log\n\nCheck the size of the partition that audit records are written to with the following command and verify whether it is sufficiently large:\n\n # df -h /var/log/audit/\n\n/dev/sda2 24G 10.4G 13.6G 43% /var/log/audit\n\nIf the audit record partition is not allocated for sufficient storage capacity, this is a finding.", "fixtext": "Allocate enough storage capacity for at least one week of audit records when audit records are not immediately sent to a central audit record storage facility.\n\nIf audit records are stored on a partition made specifically for audit records, resize the partition with sufficient space to contain one week of audit records.\n\nIf audit records are not stored on a partition made specifically for audit records, a new partition with sufficient space will need be to be created."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure a Sufficiently Large Partition for Audit Logs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_audispd_configure_sufficiently_large_partition/rule.yml", "template": null}