Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ======4.1.1.2 Ensure system is disabled when audit logs are full (Scored)====== =====Profile Applicability===== <code> Level 2 - Server Level 2 - Workstation </code> =====Description===== The ''auditd'' daemon can be configured to halt the system when the audit logs are full. =====Rationale===== In high security contexts, the risk of detecting unauthorized access or nonrepudiation exceeds the benefit of the system's availability. =====Audit===== Run the following commands and verify output matches: <Code:bash> # grep space_left_action /etc/audit/auditd.conf space_left_action = email # grep action_mail_acct /etc/audit/auditd.conf action_mail_acct = root # grep admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = halt </Code> =====Remediation===== Set the following parameters in ''/etc/audit/auditd.conf'': <Code:bash> space_left_action = email action_mail_acct = root admin_space_left_action = halt </Code> ubuntu1604/4/1/1/2.txt Last modified: 2017/05/02 14:35by 127.0.0.1