UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The audit system must switch the system to single-user mode when available audit storage volume becomes dangerously low.


Overview

Finding ID Version Rule ID IA Controls Severity
V-54381 RHEL-06-000163 SV-68627r3_rule Medium
Description
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2017-04-28

Details

Check Text ( None )
None
Fix Text (F-59235r2_fix)
The "auditd" service can be configured to take an action when disk space is running low but prior to running out of space completely. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [ACTION] appropriately:

admin_space_left_action = [ACTION]

Set this value to "single" to cause the system to switch to single-user mode for corrective action. Acceptable values also include "suspend" and "halt". For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. Details regarding all possible values for [ACTION] are described in the "auditd.conf" man page.