Profile Applicability:
Level 2
Description:
The space_left_action and admin_space_left_action parameters in the auditd configuration define actions to take when disk space allocated for audit logs is low. Configuring these settings to send warnings helps notify administrators before the disk space is exhausted, allowing proactive management of audit logs.
Rationale:
Warnings about low disk space on audit logs help ensure that audit logging continues uninterrupted and that corrective actions can be taken before the system reaches a critical state where audit logs can no longer be written.
Impact:
Pros:
Enables timely alerts for audit log storage issues
Prevents unexpected audit log disruptions
Supports compliance and forensic readiness
Cons:
Requires monitoring and response process to be effective
Default Value:
Defaults may vary; some systems may use ignore or syslog by default.
Pre-requisites:
auditdmust be installedRoot or
sudoprivileges required
Test Plan:
Using Linux Command Line:
Check the current
space_left_actionandadmin_space_left_actionsettings:grep "space_left_action" /etc/audit/auditd.conf grep "admin_space_left_action" /etc/audit/auditd.conf
Implementation Plan:
Using Linux Command Line:
Open the auditd configuration file:
vi /etc/audit/auditd.conf
Set the following values to send warnings:
space_left_action = email admin_space_left_action = email
Configure the email recipient in the
action_mail_acctsetting:action_mail_acct = root
Save and exit the file.
Restart the auditd service to apply changes:
systemctl restart auditd
Backout Plan:
Using Linux Command Line:
Reopen the configuration file:
vi /etc/audit/auditd.conf
Restore
space_left_actionandadmin_space_left_actionto previous values (e.g.,syslog,ignore).Restart the auditd service:
systemctl restart auditd
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Configuration Documentation
NIST SP 800-53 Revision 5 - AU-5