4.1.2.3 Ensure system is disabled when audit logs are full

Information

The auditd daemon can be configured to halt the system when the audit logs are full.

The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt.

- ignore the audit daemon does nothing
- Syslog the audit daemon will issue a warning to syslog
- Suspend the audit daemon will stop writing records to the disk
- single the audit daemon will put the computer system in single user mode
- halt the audit daemon will shut down the system

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf:

space_left_action = email
action_mail_acct = root

set admin_space_left_action to either halt or single in /etc/audit/auditd.conf

Example:

admin_space_left_action = halt

Impact:

If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full.

See Also

https://workbench.cisecurity.org/files/4226