Rule ID
SV-252474r971542_rule
Version
V1R9
CCIs
The audit service must be configured to require a minimum percentage of free disk space in order to run. This ensures that audit will notify the administrator that action is required to free up more disk space for audit logs. When "minfree" is set to 25 percent, security personnel are notified immediately when the storage volume is 75 percent full and are able to plan for audit record storage capacity expansion.
The check displays the "% free" to leave available for the system. The audit system will not write logs if the volume has less than this percentage of free disk space. To view the current setting, run the following command: /usr/bin/sudo /usr/bin/grep ^minfree /etc/security/audit_control If this returns no results, or does not contain "25", this is a finding.
Edit the "/etc/security/audit_control" file and change the value for "minfree" to "25" using the following command: /usr/bin/sudo /usr/bin/sed -i.bak 's/.*minfree.*/minfree:25/' /etc/security/audit_control; /usr/bin/sudo /usr/sbin/audit -s A text editor may also be used to implement the required updates to the "/etc/security/audit_control file".