Profile Applicability:
Level 2
Description:
The space_left_action and admin_space_left_action parameters in the auditd configuration determine what happens when disk space for audit logs is low or full. Configuring these settings to halt the system helps prevent it from operating without audit logging, which could result in missed events or non-compliance.
Rationale:
When the system continues running without the ability to write audit logs due to full disk space, critical security events may not be recorded. Halting the system enforces the importance of auditing and protects against operating in a non-auditable state.
Impact:
Pros:
Ensures no activity occurs without audit logging
Supports regulatory and forensic requirements
Prevents loss of critical security data
Cons:
May cause system downtime when disk space is full
Requires disk space monitoring and alerting strategy
Default Value:
Defaults may vary; many systems use ROTATE or SUSPEND, which allow continued operation without logging.
Pre-requisites:
auditdmust be installedRoot or
sudoaccess is required
Test Plan:
Using Linux Command Line:
Check current values in the configuration file:
grep "space_left_action" /etc/audit/auditd.conf grep "admin_space_left_action" /etc/audit/auditd.conf
Implementation Plan:
Using Linux Command Line:
Open the configuration file:
vi /etc/audit/auditd.conf
Locate or add the following lines:
space_left_action = halt admin_space_left_action = halt
Save and exit the file.
Restart the auditd service:
systemctl restart auditd
Backout Plan:
Using Linux Command Line:
Reopen the configuration file:
vi /etc/audit/auditd.conf
Change the values of
space_left_actionandadmin_space_left_actionback to their previous settings (e.g.,rotate,suspend, orexec).Restart the auditd service:
systemctl restart auditd
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Configuration Documentation
NIST SP 800-53 Revision 5 - AU-5