UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.


Overview

Finding ID Version Rule ID IA Controls Severity
RHEL-06-000162 RHEL-06-000162 RHEL-06-000162_rule Medium
Description
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2013-02-05

Details

Check Text ( C-RHEL-06-000162_chk )
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to switch to single user mode when disk space has run low:

admin_space_left_action single


If the system is not configured to switch to single user mode for corrective action, this is a finding.
Fix Text (F-RHEL-06-000162_fix)
The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately:

admin_space_left_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"email"
"exec"
"suspend"
"single"
"halt"


Set this value to "single" to cause the system to switch to single user mode for corrective action. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.