Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-38468 | RHEL-06-000510 | SV-50268r1_rule | Medium |
Description |
---|
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. |
STIG | Date |
---|---|
Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2016-06-05 |
Check Text ( C-46023r1_chk ) |
---|
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full: # grep disk_full_action /etc/audit/auditd.conf disk_full_action = [ACTION] If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding. |
Fix Text (F-43413r1_fix) |
---|
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_full_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt". |