✎ 4.1.1.2 Ensure system is disabled when audit logs are full (Scored) [SecScan]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.

======4.1.1.2 Ensure system is disabled when audit logs are full (Scored)======
=====Profile Applicability=====  
<code>
Level 2 - Server
Level 2 - Workstation 
</code>

=====Description=====
The ''auditd'' daemon can be configured to halt the system when the audit logs are full.

=====Rationale=====
In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability.

=====Audit===== 
Run the following commands and verify output matches:
<Code:bash>
# grep space_left_action /etc/audit/auditd.conf 
space_left_action = email 
# grep action_mail_acct /etc/audit/auditd.conf 
action_mail_acct = root 
# grep admin_space_left_action /etc/audit/auditd.conf 
admin_space_left_action = halt
</Code>

=====Remediation===== 
Set the following parameters in ''/etc/audit/auditd.conf'':
<Code:bash>
space_left_action = email 
action_mail_acct = root 
admin_space_left_action = halt
</Code>