RHEL-06-000163 - The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.


Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.


The 'auditd' service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file '/etc/audit/auditd.conf'. Add or modify the following line, substituting [ACTION] appropriately:

admin_space_left_action = [ACTION]

Set this value to 'single' to cause the system to switch to single-user mode for corrective action. Acceptable values also include 'suspend' and 'halt'. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the 'auditd.conf' man page.

See Also


Item Details


References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-217950r603264_rule, STIG-ID|RHEL-06-000163, STIG-Legacy|SV-68627, STIG-Legacy|V-54381, Vuln-ID|V-217950

Plugin: Unix

Control ID: b99aa9478270a0a82ed50bfa62ce454228ac61dbb45d02a48f6c7b223fbc4157