Ensure system is disabled when audit logs are full - space_left_action

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version


The auditd daemon can be configured to halt the system when the audit logs are full. In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.


Set the following parameters in /etc/audit/auditd.conf: space_left_action = emailaction_mail_acct = rootadmin_space_left_action = halt

See Also