Detections
Analytics
RHEL-06-000163 - The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
Information
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.Solution
The 'auditd' service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting [ACTION] appropriately:admin_space_left_action = [ACTION]
Set this value to 'single' to cause the system to switch to single-user mode for corrective action. Acceptable values also include 'suspend' and 'halt'. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the 'auditd.conf' man page.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_6_V2R2_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 6 STIG v2r2
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-217950r603264_rule, STIG-ID|RHEL-06-000163, STIG-Legacy|SV-68627, STIG-Legacy|V-54381, Vuln-ID|V-217950
Plugin: Unix
Control ID: b99aa9478270a0a82ed50bfa62ce454228ac61dbb45d02a48f6c7b223fbc4157