4.1.1.2 Ensure system is disabled when audit logs are full (Scored)

Level 2 - Server
Level 2 - Workstation 

The auditd daemon can be configured to halt the system when the audit logs are full.

In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

Run the following commands and verify output matches:

# grep space_left_action /etc/audit/auditd.conf 
space_left_action = email 
# grep action_mail_acct /etc/audit/auditd.conf 
action_mail_acct = root 
# grep admin_space_left_action /etc/audit/auditd.conf 
admin_space_left_action = halt

Set the following parameters in /etc/audit/auditd.conf:

space_left_action = email 
action_mail_acct = root 
admin_space_left_action = halt