4.1.1.2 Ensure system is disabled when audit logs are full - 'action_mail_acct is configured'

Information

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf-space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5, CSCv6|6.3

Plugin: Unix

Control ID: a8958436096ad308b0bcb87ced5a6255d9d6945aba83fc9f263c04d86df7318b