InformationThe auditd daemon can be configured to halt the system when the audit logs are full.
The admin_space_left_action parameter tells the system what action to take when the system has detected that it is low on disk space. Valid values are ignore, syslog, suspend, single, and halt.
ignore, the audit daemon does nothing
Syslog, the audit daemon will issue a warning to syslog
Suspend, the audit daemon will stop writing records to the disk
single, the audit daemon will put the computer system in single user mode
halt, the audit daemon will shutdown the system
In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.
If the admin_space_left_action parameter is set to halt the audit daemon will shutdown the system when the disk partition containing the audit logs becomes full.
SolutionSet the following parameters in /etc/audit/auditd.conf:
space_left_action = email
action_mail_acct = root
Set admin_space_left_action to either halt or single in /etc/audit/auditd.conf.
admin_space_left_action = halt
NIST SP 800-53 Rev. 5: