RHEL-06-000005 - The audit system must alert designated staff members when the audit storage volume approaches capacity.


Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.


The 'auditd' service can be configured to take an action when disk space starts to run low. Edit the file '/etc/audit/auditd.conf'. Modify the following line, substituting [ACTION] appropriately:

space_left_action = [ACTION]

Possible values for [ACTION] are described in the 'auditd.conf' man page. These include:


Set this to 'email' (instead of the default, which is 'suspend') as it is more likely to get prompt attention. The 'syslog' option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner.

RHEL-06-000521 ensures that the email generated through the operation 'space_left_action' will be sent to an administrator.

See Also


Item Details


References: 800-53|AU-5(1), CAT|II, CCI|CCI-001855, Rule-ID|SV-217850r603264_rule, STIG-ID|RHEL-06-000005, STIG-Legacy|SV-50270, STIG-Legacy|V-38470, Vuln-ID|V-217850

Plugin: Unix

Control ID: 207bf09356629242e99f04bc94d9a2d4e2a66cb06c498d2a6b95c46f66063180