Configure auditd admin_space_left Action on Low Disk Space
An XCCDF Rule
Description
The auditd
service can be configured to take an action
when disk space is running low but prior to running out of space completely.
Edit the file /etc/audit/auditd.conf
. Add or modify the following line,
substituting ACTION appropriately:
admin_space_left_action = ACTIONSet this value to
single
to cause the system to switch to single user
mode for corrective action. Acceptable values also include suspend
and
halt
. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined. Details regarding all possible values for ACTION are described in the
auditd.conf
man page.
Rationale
Administrators should be made aware of an inability to record audit records. If a separate partition or logical volume of adequate size is used, running low on space for audit records should never occur.
- ID
- xccdf_org.ssgproject.content_rule_auditd_data_retention_admin_space_left_action
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_auditd_admin_space_left_action='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_auditd_admin_space_left_action" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-91618-9
- CJIS-5.4.1.1