4.1.2.3 Ensure system is disabled when audit logs are full

Information

The auditd daemon can be configured to halt the system when the audit logs are full.

The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt.

ignore, the audit daemon does nothing

Syslog, the audit daemon will issue a warning to syslog

Suspend, the audit daemon will stop writing records to the disk

single, the audit daemon will put the computer system in single user mode

halt, the audit daemon will shutdown the system

Rationale:

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Impact:

If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full.

Solution

Set the following parameters in /etc/audit/auditd.conf:

space_left_action = email
action_mail_acct = root

Set admin_space_left_action to either halt or single in /etc/audit/auditd.conf.
Example:

admin_space_left_action = halt

Additional Information:

NIST SP 800-53 Rev. 5:

AU-2

AU-8

AU-12

SI-5

See Also

https://workbench.cisecurity.org/files/3807

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-4, 800-53|AU-7, 800-53|AU-12

Plugin: Unix

Control ID: 88efd5d6bbcf59cacd8a9fa5e559ef66b155d3db2a2c0d2f7444ca2cb9ccd6d0