>From 16efd586b70217f14ae0baac84633b5ca8bad050 Mon Sep 17 00:00:00 2001 From: Shawn Wells <[email protected]> Date: Wed, 20 Mar 2013 19:31:30 -0400 Subject: [PATCH] ticket 330 - adjust language to permit halt for admin_space_left_action * Adjusted language to permit suspend, halt, or single-user where appropriate. Updated alternate SRG title to reflect.
* Also added suspend, halt, and single-user to acceptable options beyond email --- RHEL6/input/auxiliary/alt-titles-stig.xml | 2 +- RHEL6/input/system/auditing.xml | 13 ++++++++----- 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/RHEL6/input/auxiliary/alt-titles-stig.xml b/RHEL6/input/auxiliary/alt-titles-stig.xml index c9fdb8f..af68f29 100644 --- a/RHEL6/input/auxiliary/alt-titles-stig.xml +++ b/RHEL6/input/auxiliary/alt-titles-stig.xml @@ -375,7 +375,7 @@ The system must rotate audit log files that reach the maximum file size. The audit system must alert designated staff members when the audit storage volume approaches capacity. </title> <title rule="configure_auditd_admin_space_left_action" shorttitle="Configure auditd admin_space_left Action on Low Disk Space"> -The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low. +The audit system must suspent, halt, or switch the system to single-user mode when available audit storage volume becomes dangerously low. </title> <title rule="configure_auditd_action_mail_acct" shorttitle="Configure auditd mail_acct Action on Low Disk Space"> The audit system must identify staff members to receive notifications of audit log storage volume capacity issues. diff --git a/RHEL6/input/system/auditing.xml b/RHEL6/input/system/auditing.xml index dbe3c34..b072134 100644 --- a/RHEL6/input/system/auditing.xml +++ b/RHEL6/input/system/auditing.xml @@ -343,7 +343,8 @@ These include: <li><tt>halt</tt></li> </ul> Set this to <tt>email</tt> (instead of the default, -which is <tt>suspend</tt>) as it is more likely to get prompt attention. +which is <tt>suspend</tt>) as it is more likely to get prompt attention. Acceptable values +also include <tt>suspend</tt>, <tt>single</tt>, and <tt>halt</tt>. </description> <ocil clause="the system is not configured to send an email to the system administrator when disk space is starting to run low"> @@ -351,7 +352,8 @@ Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: <tt># grep space_left_action /etc/audit/auditd.conf</tt> -<pre>space_left_action email</pre> +<pre>space_left_action</pre> +Acceptable values are <tt>email</tt>, <tt>suspend</tt>, <tt>single</tt>, and <tt>halt</tt>. </ocil> <rationale>Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.</rationale> @@ -381,15 +383,16 @@ These include: <li><tt>halt</tt></li> </ul> Set this value to <tt>single</tt> to cause the system to switch to single user -mode for corrective action. For certain systems, the need for availability +mode for corrective action. Acceptable values also include <tt>suspend</tt> and +<tt>halt</tt>. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. </description> <ocil clause="the system is not configured to switch to single user mode for corrective action"> Inspect <tt>/etc/audit/auditd.conf</tt> and locate the following line to -determine if the system is configured to switch to single user mode -when disk space has run low: +determine if the system is configured to either suspend, switch to single user mode, +or halt when disk space has run low: <pre>admin_space_left_action single</pre> </ocil> <rationale>Administrators should be made aware of an inability to record -- 1.7.1
_______________________________________________ scap-security-guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide
