AlmaLinux OS 9 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
An XCCDF Rule
Description
If security personnel are not notified immediately when storage volume reaches 75 percent usage, they are unable to plan for audit record storage capacity expansion.
- ID
- SV-269520r1050403_rule
- Version
- ALMA-09-053370
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Configure the "auditd" service to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.
Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:
admin_space_left_action = single
The audit daemon must be restarted for changes to take effect.