4.1.2.5 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'

Information

The auditd daemon can be configured to halt the system when the audit logs are full.

Rationale:

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf:

space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-4, 800-53|AU-7, 800-53|AU-12, CSCv7|6.2, CSCv7|6.4, Rule-ID|SV-204514r603261_rule, Rule-ID|SV-204515r603261_rule

Plugin: Unix

Control ID: 20f3e5294cb9170daf34549d6f5d8be97e6f500e2bd644523e3fb385a3f1ce4e