4.1.1.2 Ensure system is disabled when audit logs are full - space_left_action
Information
The auditd daemon can be configured to halt the system when the audit logs are full. Rationale: In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.
Solution
Set the following parameters in /etc/audit/auditd.conf: space_left_action = email action_mail_acct = root admin_space_left_action = halt