Level 2 - Server Level 2 - Workstation
The auditd daemon can be configured to halt the system when the audit logs are full.
In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.
Run the following commands and verify output matches:
# grep space_left_action /etc/audit/auditd.conf space_left_action = email # grep action_mail_acct /etc/audit/auditd.conf action_mail_acct = root # grep admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = halt
Set the following parameters in /etc/audit/auditd.conf:
space_left_action = email action_mail_acct = root admin_space_left_action = halt