8.1.1.2 Disable System on Audit Log Full- 'space_left_action = email'

Information

The auditd daemon can be configured to halt the system when the audit logs are full.

*Rationale*

In high security contexts, the risk of detecting unauthorized access or nonrepudiation
exceeds the benefit of the system's availability.

Solution

Add the following lines to the /etc/audit/auditd.conf file.space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5(1), 800-53|AU-5(4)

Plugin: Unix

Control ID: 844a78ed0c325a255503a856b82fd76b5334697d084e9cb13879a5b26864b0e1