Information
The auditd daemon can be configured to halt the system when the audit logs are full.
Rationale:
In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.
Solution
Set the following parameters in /etc/audit/auditd.conf:
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt