RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

An XCCDF Rule

Description

<VulnDiscussion>If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-258159r926464_rule
Severity: Medium
References: CCI-001855
Updated: 8 months ago

Configure "auditd" service  to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:

admin_space_left_action = single 
The audit daemon must be restarted for changes to take effect.

RHEL 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.

Description

Remediation - Manual Procedure