Details
There are two important reasons to ensure that data gathered by auditd is stored on a separate partition- protection against resource exhaustion (since the audit.log file can
grow quite large) and protection of audit data. The audit daemon calculates how much free space is left and performs actions based on the results. If other processes (such as syslog)
consume space in the same partition as auditd, it may not perform as desired.
Solution
For new installations, during installation create a custom partition setup and specify a separate partition for /var/log/audit.For systems that were previously installed, create a new partition and configure /etc/fstab as appropriate.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.