Rule ID
SV-282572r1200696_rule
Version
V1R1
CCIs
If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
Verify TOSS 5 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity using the following command: $ sudo grep admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = single If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO). If there is no evidence that real-time alerts are configured on the system, this is a finding.
Configure "auditd" service to act in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity. Edit the following line in "/etc/audit/auditd.conf" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity: admin_space_left_action = single Restart the audit daemon changes to take effect.