Configure auditd Disk Full Action when Disk Space Is Full
An XCCDF Rule
Description
The auditd
service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf
. Add or modify the following line,
substituting ACTION appropriately:
disk_full_action = ACTIONSet this value to
single
to cause the system to switch to single-user
mode for corrective action. Acceptable values also include syslog
,
single
, and halt
. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf
man page.
Rationale
Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.
- ID
- xccdf_org.ssgproject.content_rule_auditd_data_disk_full_action_stig
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_auditd_disk_full_action='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_auditd_disk_full_action" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-AU-5(1)
- NIST-800-53-AU-5(2)