5.3.1.2 Disable System on Audit Log Full - action_mail_acct
Information
The auditd daemon can be configured to halt the system when the audit logs are full. Rationale: In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.
Solution
Add or edit the following lines in the /etc/audit/auditd.conf file. space_left_action = email action_mail_acct = root admin_space_left_action = halt