Vulnerability Discussion

If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

Check

Verify Ubuntu 24.04 LTS notifies the SA and ISSO (at a minimum) when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity with the following command:

Note: If the space_left_action is set to "email", an email package must be available.

$ sudo grep ^space_left_action /etc/audit/auditd.conf
space_left_action email

$ sudo grep ^space_left /etc/audit/auditd.conf
space_left 250000

If the "space_left" parameter is set to "syslog", is missing, set to blanks, or set to a value less than 25 percent of the space free in the allocated audit record storage, this is a finding.

If the "space_left_action" parameter is missing or set to blanks, this is a finding.

If the "space_left_action" is set to "email", check the value of the "action_mail_acct" parameter with the following command:

$ sudo grep ^action_mail_acct /etc/audit/auditd.conf
action_mail_acct root@localhost

The "action_mail_acct" parameter, if missing, defaults to "root". If the "action_mail_acct parameter" is not set to the email address of the SA(s) and/or ISSO, this is a finding.

If the "space_left_action" is set to "exec", the system executes a designated script. If this script informs the SA of the event, this is not a finding.

Fix

Edit "/etc/audit/auditd.conf" and set the "space_left_action" parameter to "exec" or "email".

If the "space_left_action" parameter is set to "email", set the "action_mail_acct" parameter to an email address for the SA and ISSO.

If the "space_left_action" parameter is set to "exec", ensure the command being executed notifies the SA and ISSO.

Edit "/etc/audit/auditd.conf" and set the "space_left" parameter to be at least 25 percent of the repository maximum audit record storage capacity.