Details
The auditd daemon can be configured to halt the system when the audit logs are full.
Rationale:
In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system’s availability.
Solution
Set the following parameters in /etc/audit/auditd.conf:
space_left_action = email
action_mail_acct = root
admin_space_left_action = halt
Notes:
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72091
Rule ID: SV-86715r2_rule
STIG ID: RHEL-07-030340
Severity: CAT II
Vul ID: V-72093
Rule ID: SV-86717r3_rule
STIG ID: RHEL-07-030350
Severity: CAT II
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.