UCF STIG Viewer Logo

The Photon operating system must immediately notify the SA and ISSO when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity.


Finding ID Version Rule ID IA Controls Severity
V-258845 PHTN-40-000112 SV-258845r935564_rule Low
If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.
VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide 2023-10-29


Check Text ( C-62585r933594_chk )
At the command line, run the following command to verify auditd is alerting when low disk space is detected:

# grep '^space_left' /etc/audit/auditd.conf

Expected result:

space_left = 25%
space_left_action = SYSLOG

If the output does not match the expected result, this is a finding.
Fix Text (F-62494r933595_fix)
Navigate to and open:


Ensure the "space_left" and "space_left_action" lines are uncommented and set to the following:

space_left = 25%
space_left_action = SYSLOG

At the command line, run the following command:

# pkill -SIGHUP auditd