{"description": "The <tt>auditd</tt> service can be configured to take an action\nwhen there is a disk error.\nEdit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line,\nsubstituting <i>ACTION</i> appropriately:\n<pre>disk_error_action = <i>ACTION</i></pre>\nSet this value to <tt>single</tt> to cause the system to switch to single-user\nmode for corrective action. Acceptable values also include\n\n<tt>syslog</tt>, <tt>exec</tt>, <tt>single</tt>, and <tt>halt</tt>\n\nFor certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values for <i>ACTION</i> are described in the\n<tt>auditd.conf</tt> man page.", "rationale": "Taking appropriate action in case of disk errors will minimize the possibility of\nlosing audit records.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8"], "cobit5": ["APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI04.04", "BAI08.02", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.04", "DSS05.07", "MEA02.01"], "isa-62443-2009": ["4.2.3.10", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1", "SR 7.1", "SR 7.2"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.17.2.1"], "nist": ["AU-5(b)", "AU-5(2)", "AU-5(1)", "AU-5(4)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "PR.DS-4", "PR.PT-1", "RS.AN-1", "RS.AN-4"], "srg": ["SRG-OS-000047-GPOS-00023", "SRG-APP-000098-CTR-000185", "SRG-APP-000099-CTR-000190", "SRG-APP-000100-CTR-000195", "SRG-APP-000100-CTR-000200", "SRG-APP-000109-CTR-000215", "SRG-APP-000290-CTR-000670", "SRG-APP-000357-CTR-000800"], "cis": ["6.3.2.3"]}, "control_references": {"cis": ["6.3.2.3"]}, "components": [], "identifiers": {}, "ocil_clause": "there is no evidence of appropriate action", "ocil": "Verify Ubuntu 22.04 takes the appropriate action when an audit processing failure occurs.\n\nCheck that Ubuntu 22.04 takes the appropriate action when an audit processing failure occurs with the following command:\n\n$ sudo grep disk_error_action /etc/audit/auditd.conf\n\ndisk_error_action = <sub idref=\"var_auditd_disk_error_action\" />\n\nIf the value of the \"disk_error_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit process failure occurs.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to shut down by default upon audit failure (unless availability is an overriding concern).\n\n\nAdd or update the following line (\"disk_error_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on configuration) in \"/etc/audit/auditd.conf\" file:\n\n\ndisk_error_action = <sub idref=\"var_auditd_disk_error_action\" />\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure Ubuntu 22.04 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the \"disk_error_action\" to \"SYSLOG\".", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure auditd Disk Error Action on Disk Error", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_error_action/rule.yml", "template": null}