UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The audit system must provide a warning when allocated audit record storage volume reaches a documented percentage of maximum audit record storage capacity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38678 RHEL-06-000311 SV-50479r2_rule Medium
Description
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2018-11-28

Details

Check Text ( C-46240r1_chk )
Inspect "/etc/audit/auditd.conf" and locate the following line to determine whether the system is configured to email the administrator when disk space is starting to run low:

# grep space_left /etc/audit/auditd.conf

space_left = [num_megabytes]


If the "num_megabytes" value does not correspond to a documented value for remaining audit partition capacity or if there is no locally documented value for remaining audit partition capacity, this is a finding.
Fix Text (F-43627r2_fix)
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [num_megabytes] appropriately:

space_left = [num_megabytes]

The "num_megabytes" value should be set to a fraction of the total audit storage capacity available that will allow a system administrator to be notified with enough time to respond to the situation causing the capacity issues. This value must also be documented locally.