Detections
Analytics

5.2.2.3 Ensure system is disabled when audit logs are full

Information

The auditd daemon can be configured to halt the system or put the system in single user mode, if no free space is available or an error is detected on the partition that holds the audit log files.

The disk_full_action parameter tells the system what action to take when no free space is available on the partition that holds the audit log files. Valid values are ignore, syslog, rotate, exec, suspend, single, and halt.

ignore, the audit daemon will issue a syslog message but no other action is taken

syslog, the audit daemon will issue a warning to syslog

rotate, the audit daemon will rotate logs, losing the oldest to free up space

exec, /path-to-script will execute the script. You cannot pass parameters to the script. The script is also responsible for telling the auditd daemon to resume logging once its completed its action

suspend, the audit daemon will stop writing records to the disk

single, the audit daemon will put the computer system in single user mode

halt, the audit daemon will shut down the system

The disk_error_action parameter tells the system what action to take when an error is detected on the partition that holds the audit log files. Valid values are ignore, syslog, exec, suspend, single, and halt.

ignore, the audit daemon will not take any action

syslog, the audit daemon will issue no more than 5 consecutive warnings to syslog

exec, /path-to-script will execute the script. You cannot pass parameters to the script

suspend, the audit daemon will stop writing records to the disk

single, the audit daemon will put the computer system in single user mode

halt, the audit daemon will shut down the system

Rationale:

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Impact:

-IF-

The disk_full_action parameter is set to halt the auditd daemon will shutdown the system when the disk partition containing the audit logs becomes full.

The disk_full_action parameter is set to single the auditd daemon will put the computer system in single user mode when the disk partition containing the audit logs becomes full.

-IF-

The disk_error_action parameter is set to halt the auditd daemon will shutdown the system when an error is detected on the partition that holds the audit log files.

The disk_error_action parameter is set to single the auditd daemon will put the computer system in single user mode when an error is detected on the partition that holds the audit log files.

The disk_error_action parameter is set to syslog the auditd daemon will issue no more than 5 consecutive warnings to syslog when an error is detected on the partition that holds the audit log files.

Solution

Set one of the following parameters in /etc/audit/auditd.conf depending on your local security policies.

disk_full_action = <halt|single>
disk_error_action = <syslog|single|halt>

Example:

disk_full_action = halt
disk_error_action = halt

See Also

https://workbench.cisecurity.org/benchmarks/15288

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-2, 800-53|AU-4, 800-53|AU-7, 800-53|AU-12

Plugin: Unix

Control ID: 31b78ad031e169c4f2cc67aed6da91bc0c5610ffd31ac443c29baffedd5000c7