The audit system must alert designated staff members when the audit storage volume approaches capacity.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
RHEL-06-000311	RHEL-06-000311	RHEL-06-000311_rule		Medium

Description
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.

STIG	Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide	2013-02-05

Details

Check Text ( C-RHEL-06-000311_chk )
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low: "# grep space_left_action /etc/audit/auditd.conf" space_left_action email If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding.

Fix Text (F-RHEL-06-000311_fix)
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: space_left_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "email" "exec" "suspend" "single" "halt" Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention.

Fix Text (F-RHEL-06-000311_fix)

The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:

space_left_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"email"
"exec"
"suspend"
"single"
"halt"

Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention.