Ensure system is disabled when audit logs are full - 'action_mail_acct = root'

Information

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf:
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

See Also

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623.html