4.1.1.2 Ensure system is disabled when audit logs are full - 'admin_space_left_action = halt'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set the following parameters in /etc/audit/auditd.conf:
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt

See Also

https://workbench.cisecurity.org/files/1857

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5, CSCv6|6.3

Plugin: Unix

Control ID: 1675f6f03cc51eced40b74cf29254e1a58e82b2365963eaebb31c02571a62f26