Description of problem:
CNSSI 1253 Appendix F, Attachment 3 [details] (the Cross Domain Solutions Overlay) has the following requirements for notification of audit record storage capacity:
> (U) AU-5(1), Response to Audit Processing Failures | Audit Storage Capacity
> (U) Parameter Value for Access, Transfer, and Multilevel: The information
> system provides a warning to the CDS System Administrator and/or Security
> Administrator, at a minimum, within seconds when allocated audit record
> storage volume reaches 75% and continues to notify at 80%, 90%, 95%, 98% and
> 99% of repository maximum audit record storage capacity.
For installations at customer sites, with customer provided hardware, Forcepoint engineers modify etc/audit/auditd.conf by hand to set the "space_left" and "admin_space_left" values to match the correct values based on partition size for 25% and 1% respectively, which partially meets the guidance.
Can the following changes be made to allow a configuration that completely meets the guidance?
- accept a percentage value (ex: 25%) as well as fixed size in MB for both "space_left" and "admin_space_left" in auditd.conf
- allow a comma separated list "space_left" so that the "space_left_action" can be taken on each of those values?
We are seeing this inability to configure auditd to match this guidance in RHEL 6, RHEL 7, Fedora 29, and presume RHEL 8 Beta (untested) is also unable to be so configured.
: Full document is at https://www.cnss.gov/CNSS/issuances/Instructions.cfm but available only for holders of US Government CAC or PIV cards.
This control is part of the NIST 800-53 rev4:
RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE CAPACITY
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.
Auditd meets that.
What is being asked for is not a requirement specified by the NIST risk management framework nor specified in Common Criteria. Which leads to a question of does any platform support something like this? How is this met on Windows for example? Thanks.
The requirement being asked for is in the document "Committee on National Security Systems Instruction (CNSSI) 1253 Appendix 3: Cross Domain Solution (CDS) Overlays". CNSSI 1253 is at https://www.cnss.gov/CNSS/issuances/Instructions.cfm (the design of that site is such that individual documents cannot be linked against).
To my knowledge, the Windows operating system is not considered secure enough to be allowed to be used as a CDS by the US Government, so this requirement would not be levied against that OS. Also to my knowledge, the only OS in active development that is used as a CDS by the US Government is derived from Red Hat Enterprise Linux (Solaris with Trusted Extensions has also been used, but every CDS I am aware of is migrating off that to Red Hat Enterprise Linux).
OK. Fair enough. My first thoughts are that this is a general problem (disk capacity) and not specifically an audit problem. I'll dig into this a bit more.
Ok. I have done a little research on this. On the Microsoft side, it looks like this kind of alerting is done by their performance monitoring tools. On RHEL, the equivalent is the Performance Co-Pilot.
Some basic RHEL documentation that describes it is here:
Better upstream documentation is here:
In particular, there is the pmie service.
and example rules such as this:
which shows how to do alerts on disk fullness. This is a general solution for any disk capacity problems. You may also find its ability to alert on other problems useful.
Thank you for the guidance regarding how to configure PCP for this.
Can we at least consider allowing a percentage for the "space_left" and "admin_space_left" in auditd.conf since the NIST guidance is "organization-defined percentage"?
Yes, I think it wouldn't be too hard scan the string for % and if found then do the math and place that into the parameter instead. I'll see if I can add this to the upcoming 2.8.5 release.
Changing the name of this report to better reflect what the ask is.
This feature was added to upstream git repo as commit 58005af.
audit-2.8.5-1.el7 was built to address this issue.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.