4.4 Ensure audit system is set to single when the disk is full.

Information

The operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

Rationale:

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

Solution

Configure the action the operating system takes if the disk the audit records are written to becomes full.
Uncomment or edit the disk_full_action option in /etc/audisp/audisp-remote.conf.
Example: vim /etc/audisp/audisp-remote.conf
Set it to syslog, single, or halt, such as the following example:

disk_full_action = single

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72087

Rule ID: SV-86711r3_rule

STIG ID: RHEL-07-030320

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5a.

Plugin: Unix

Control ID: 5b9fd2ec2c7ba5dc26c87955e2ccb80554c2e40d1f8f953de7b18f580c9652e9