Notify when auditing fails The audit service should be configured to immediately print messages to the console or email administrator users when an auditing failure occurs. It is critical for the appropriate personnel to be aware if a system is at risk of failing to process audit logs as required. Without a real-time alert, security personnel may be unaware of an impending failure of the audit capability and system operation may be adversely affected.

[exists/does_not_exist]

By default, auditd only logs errors to syslog. To verify if auditd has been configured to send immediate alerts to the SA or IAO, ask the SA if /etc/security/audit_warn has been configured to send emails or print alerts to the terminal window when audit errors occur. For example, to see if audit has been configured to print error messages to the console, run the following command: sudo grep logger /etc/security/audit_warn If the argument '-s' is missing, or if audit_warn has not been otherwise modified to print errors to the console or send email alerts to the SA and IAO, this is a finding.