STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 6 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

V-234979

CAT II (Medium)

Audispd must take appropriate action when the SUSE operating system audit storage is full.

Rule ID

SV-234979r1009576_rule

STIG

SUSE Linux Enterprise Server 15 Security Technical Implementation Guide

Version

V2R7

CCIs

None

Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.

Check Content

Verify the audit system off-loads audit records if the SUSE operating system storage volume becomes full.

Check that the records are properly off-loaded to a remote server with the following command:

> sudo grep -i "disk_full_action" /etc/audit/audisp-remote.conf
disk_full_action = syslog

If "disk_full_action" is not set to "syslog", "single", or "halt" or the line is commented out, this is a finding.

Fix Text

Configure the SUSE operating system to take the appropriate action if the audit storage is full.

Add, edit, or uncomment the "disk_full_action" option in "/etc/audit/audisp-remote.conf". Set it to "syslog", "single" or "halt" as in the example below:

disk_full_action = syslog