UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The audit system must alert designated staff members when the audit storage volume approaches capacity.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38470 RHEL-06-000005 SV-50270r1_rule Medium
Description
Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2013-06-03

Details

Check Text ( C-46025r1_chk )
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to email the administrator when disk space is starting to run low:

# grep space_left_action /etc/audit/auditd.conf
space_left_action = email


If the system is not configured to send an email to the system administrator when disk space is starting to run low, this is a finding.
Fix Text (F-43415r1_fix)
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately:

space_left_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"email"
"exec"
"suspend"
"single"
"halt"


Set this to "email" (instead of the default, which is "suspend") as it is more likely to get prompt attention.

RHEL-06-000521 ensures that the email generated through the operation "space_left_action" will be sent to an administrator.