{"description": "The auditd service can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file /etc/audit/auditd.conf. Add or modify the following line,\nsubstituting ACTION appropriately:\ndisk_full_action = ACTION
\nSet this value to single to cause the system to switch to single-user\nmode for corrective action. Acceptable values also include\n\nsyslog, exec, single, and halt\n\nFor certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values for ACTION are described in the\nauditd.conf man page.", "rationale": "Taking appropriate action in case of a filled audit storage volume will minimize\nthe possibility of losing audit records.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8"], "cobit5": ["APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI04.04", "BAI08.02", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.04", "DSS05.07", "MEA02.01"], "isa-62443-2009": ["4.2.3.10", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1", "SR 7.1", "SR 7.2"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.17.2.1"], "nist": ["AU-5(b)", "AU-5(2)", "AU-5(1)", "AU-5(4)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "PR.DS-4", "PR.PT-1", "RS.AN-1", "RS.AN-4"], "srg": ["SRG-OS-000047-GPOS-00023"], "cis": ["6.3.2.3"], "stigid": ["UBTU-22-653030"], "stigref": ["SV-260594r1038966_rule"]}, "control_references": {"cis": ["6.3.2.3"], "stigid": ["UBTU-22-653030"]}, "components": [], "identifiers": {}, "ocil_clause": "there is no evidence of appropriate action", "ocil": "Verify Ubuntu 22.04 takes the appropriate action when the audit storage volume is full.\n\nCheck that Ubuntu 22.04 takes the appropriate action when the audit storage volume is full with the following command:\n\n$ sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = \n\nIf the value of the \"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to shut down by default upon audit failure (unless availability is an overriding concern).\n\n\nAdd or update the following line (\"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on configuration) in \"/etc/audit/auditd.conf\" file:\n\n\ndisk_full_action = \n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure Ubuntu 22.04 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the \"disk_full_action\" to \"SYSLOG\".", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure auditd Disk Full Action when Disk Space Is Full", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action/rule.yml", "template": null}