Check: RHEL-06-000510
Red Hat Enterprise Linux 6 STIG:
RHEL-06-000510
(in versions v2 r2 through v1 r14)
Title
The audit system must take appropriate action when the audit storage volume is full. (Cat II impact)
Discussion
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
Check Content
Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when the audit storage volume is full: # grep disk_full_action /etc/audit/auditd.conf disk_full_action = [ACTION] If the system is configured to "suspend" when the volume is full or "ignore" that it is full, this is a finding.
Fix Text
The "auditd" service can be configured to take an action when disk space starts to run low. Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_full_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".
Additional Identifiers
Rule ID: SV-218093r603264_rule
Vulnerability ID: V-218093
Group Title: SRG-OS-000047
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000140 |
Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records. |
Controls
| Number | Title |
|---|---|
| AU-5 |
Response to Audit Processing Failures |