4.1.2.5 Ensure system is disabled when audit logs are full - at a minimum when the threshold for the repository maximum audit record storage capacity is reached.

Information

The auditd daemon can be configured to halt the system when the audit logs are full.

Rationale:

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf:

space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), CCI|CCI-001855, CSCv7|6.2, CSCv7|6.4, Rule-ID|SV-204514r603261_rule, Rule-ID|SV-204515r603261_rule, STIG-ID|RHEL-07-030350

Plugin: Unix

Control ID: 20f3e5294cb9170daf34549d6f5d8be97e6f500e2bd644523e3fb385a3f1ce4e