4.1.1.2 Ensure system is disabled when audit logs are full - admin_space_left_action

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The auditddaemon can be configured to halt the system when the audit logs are full.
Rationale:
In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf:
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

See Also

https://workbench.cisecurity.org/files/2429

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5, CSCv6|6.3, CSCv7|6.4

Plugin: Unix

Control ID: 9894a4c737b4d2eb3be7d9f6ca371e2a1555c949728c3623947abc2ffe1fcaac