TOSS 5 must act when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-282572 | TOSS-05-000394 | SV-282572r1200696_rule | CCI-001855 | medium |
| Description | ||||
| If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity. | ||||
| STIG | Date | |||
| Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide | 2026-04-01 | |||
Details
Check Text (C-282572r1200696_chk)
Verify TOSS 5 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity using the following command:
$ sudo grep admin_space_left_action /etc/audit/auditd.conf
admin_space_left_action = single
If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO).
If there is no evidence that real-time alerts are configured on the system, this is a finding.
Fix Text (F-87038r1200695_fix)
Configure "auditd" service to act in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:
admin_space_left_action = single
Restart the audit daemon changes to take effect.