The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| RHEL-06-000162 | RHEL-06-000162 | RHEL-06-000162_rule | Medium |
| Description |
|---|
| Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2013-02-05 |
Details
| Check Text ( C-RHEL-06-000162_chk ) |
|---|
| Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to switch to single user mode when disk space has run low: admin_space_left_action single If the system is not configured to switch to single user mode for corrective action, this is a finding. |
| Fix Text (F-RHEL-06-000162_fix) |
|---|
| The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately: admin_space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this value to "single" to cause the system to switch to single user mode for corrective action. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. |