Detections
Analytics

6.3.2.3 Ensure system is disabled when audit logs are full

Information

The auditd daemon can be configured to halt the system or put the system in single user mode, if no free space is available or an error is detected on the partition that holds the audit log files.

The disk_full_action parameter tells the system what action to take when no free space is available on the partition that holds the audit log files. Valid values are ignore, syslog, rotate, exec, suspend, single, and halt.

 - ignore, the audit daemon will issue a syslog message but no other action is taken
 - syslog, the audit daemon will issue a warning to syslog
 - rotate, the audit daemon will rotate logs, losing the oldest to free up space
 - exec, /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action
 - suspend, the audit daemon will stop writing records to the disk
 - single, the audit daemon will put the computer system in single user mode
 - halt, the audit daemon will shut down the system

The disk_error_action parameter tells the system what action to take when an error is detected on the partition that holds the audit log files. Valid values are ignore, syslog, exec, suspend, single, and halt.

 - ignore, the audit daemon will not take any action
 - syslog, the audit daemon will issue no more than 5 consecutive warnings to syslog
 - exec, /path-to-script will execute the script. You cannot pass parameters to the script
 - suspend, the audit daemon will stop writing records to the disk
 - single, the audit daemon will put the computer system in single user mode
 - halt, the audit daemon will shut down the system

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Solution

Set one of the following parameters in /etc/audit/auditd.conf depending on your local security policies.

disk_full_action = <halt|single>
disk_error_action = <syslog|single|halt>

Example:

disk_full_action = halt
disk_error_action = halt

Impact:

disk_full_action parameter:

 - Set to halt - the auditd daemon will shutdown the system when the disk partition containing the audit logs becomes full.
 - Set to single - the auditd daemon will put the computer system in single user mode when the disk partition containing the audit logs becomes full.

disk_error_action parameter:

 - Set to halt - the auditd daemon will shutdown the system when an error is detected on the partition that holds the audit log files.
 - Set to single - the auditd daemon will put the computer system in single user mode when an error is detected on the partition that holds the audit log files.
 - Set to syslog - the auditd daemon will issue no more than 5 consecutive warnings to syslog when an error is detected on the partition that holds the audit log files.

See Also

https://workbench.cisecurity.org/benchmarks/24009

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5b., Rule-ID|SV-230390r627750_rule, Rule-ID|SV-230392r627750_rule, Vuln-ID|V-230390, Vuln-ID|V-230392

Plugin: Unix

Control ID: ae16e37871b01f62af8d0f6c517ce32d4ad86351b32dd76e6e06fe461917c50e