5.3.1.2 Disable System on Audit Log Full - admin_space_left_action

Information

The auditd daemon can be configured to halt the system when the audit logs are full.

Rationale:

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Add or edit the following lines in the /etc/audit/auditd.conf file.

space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv7|6.4

Plugin: Unix

Control ID: d4d2f0081765de5768152c2e3e1764968905d56f062aad0f979d84bccfae77e6