4.1.1.2 Ensure system is disabled when audit logs are full - space_left_action

Information

The auditd daemon can be configured to halt the system when the audit logs are full.

Rationale:

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf:

space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-72091

Rule ID: SV-86715r2_rule

STIG ID: RHEL-07-030340

Severity: CAT II



Vul ID: V-72093

Rule ID: SV-86717r3_rule

STIG ID: RHEL-07-030350

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv7|6.4

Plugin: Unix

Control ID: 533c7425f4ba493e6042b89a98c9ed3f0c35457de4326de9c4d0041f3176e00e