Skip to content

Configure audispd's Plugin disk_full_action When Disk Is Full

An XCCDF Rule

Description

Configure the action the operating system takes if the disk the audit records are written to becomes full. Edit the file /etc/audit/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately:

disk_full_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined.

Rationale

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.

ID
xccdf_org.ssgproject.content_rule_auditd_audispd_disk_full_action
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

var_audispd_disk_full_action='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_audispd_disk_full_action" use="legacy"/>'



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AU-5(1)
  - NIST-800-53-AU-5(2)