4.1.2.3 Ensure system is disabled when audit logs are full - 'space_left_action = email'

Information

The auditd daemon can be configured to halt the system when the audit logs are full.
Rationale:
In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf:
space_left_action = email action_mail_acct = root admin_space_left_action = halt

See Also

https://workbench.cisecurity.org/files/2485

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(2)

Plugin: Unix

Control ID: 614d9b91f0564e551a880e576e3b2030d009c85c934311f404a27e7d6877eed9