RHEL-09-653050 - RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.

Solution

Configure 'auditd' service to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Edit the following line in '/etc/audit/auditd.conf' to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:

admin_space_left_action = single

The audit daemon must be restarted for changes to take effect.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V1R2_STIG.zip

Item Details

References: CAT|II, CCI|CCI-001855, Rule-ID|SV-258159r926464_rule, STIG-ID|RHEL-09-653050, Vuln-ID|V-258159

Plugin: Unix

Control ID: 77e05aa71684d06573bbe2b4295a1ef27c0dc8db4ea9766e3e3ece354a647b77