Skip to content

6.2.2.3 Ensure system is disabled when audit logs are full

Audit#

Run the following command and verify the disk_full_action is set to either halt or single: 

# grep -Pi -- '^\h*disk_full_action\h*=\h*(halt|single)\b' /etc/audit/auditd.conf
disk_full_action = <halt|single>

Run the following command and verify the disk_error_action is set to syslog, single, or halt: 

# grep -Pi -- '^\h*disk_error_action\h*=\h*(syslog|single|halt)\b' /etc/audit/auditd.conf
disk_error_action = <syslog|single|halt>

Remediation#

Set the following parameters in /etc/audit/auditd.conf depending on your local security policies. 

disk_full_action = <halt|single>
disk_error_action = <syslog|single|halt>

Example: 

disk_full_action = halt
disk_error_action = halt