TOSS 5 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282572TOSS-05-000394SV-282572r1200696_ruleCCI-001855medium
Description
If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282572r1200696_chk)

Verify TOSS 5 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity using the following command: $ sudo grep admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = single If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO). If there is no evidence that real-time alerts are configured on the system, this is a finding.

Fix Text (F-87038r1200695_fix)

Configure "auditd" service to act in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity: admin_space_left_action = single Restart the audit daemon changes to take effect.