UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The audit system must take appropriate action when the audit storage volume is full.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38468 RHEL-06-000510 SV-50268r1_rule Medium
Description
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2018-11-28

Details

Check Text ( C-46023r1_chk )
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full:

# grep disk_full_action /etc/audit/auditd.conf
disk_full_action = [ACTION]


If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.
Fix Text (F-43413r1_fix)
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:

disk_full_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"exec"
"suspend"
"single"
"halt"


Set this to "syslog", "exec", "single", or "halt".