{"description": "The <tt>auditd</tt> service can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line,\nsubstituting <i>ACTION</i> appropriately:\n<pre>disk_full_action = <i>ACTION</i></pre>\nSet this value to <tt>single</tt> to cause the system to switch to single-user\nmode for corrective action. Acceptable values also include <tt>syslog</tt>,\n<tt>single</tt>, and <tt>halt</tt>. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values for <i>ACTION</i> are described in the\n<tt>auditd.conf</tt> man page.", "rationale": "Taking appropriate action in case of a filled audit storage volume will minimize\nthe possibility of losing audit records.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8"], "cobit5": ["APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI04.04", "BAI08.02", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.04", "DSS05.07", "MEA02.01"], "isa-62443-2009": ["4.2.3.10", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1", "SR 7.1", "SR 7.2"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.17.2.1"], "nist": ["AU-5(b)", "AU-5(2)", "AU-5(1)", "AU-5(4)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "PR.DS-4", "PR.PT-1", "RS.AN-1", "RS.AN-4"], "srg": ["SRG-OS-000047-GPOS-00023"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "there is no evidence of appropriate action", "ocil": "Verify Ubuntu 22.04 takes the appropriate action when the audit storage volume is full.\n\nCheck that Ubuntu 22.04 takes the appropriate action when the audit storage volume is full with the following command:\n\n$ sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = <sub idref=\"var_auditd_disk_full_action\" />\n\nIf the value of the \"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to shut down by default upon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (\"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on configuration) in \"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = <sub idref=\"var_auditd_disk_full_action\" />\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure Ubuntu 22.04 to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the \"disk_full_action\" to \"SYSLOG\".", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 audit system must take appropriate action when the audit storage volume is full.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "The Ubuntu 22.04 audit system must take appropriate action when the audit storage volume is full.", "vuldiscussion": "It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.", "checktext": "Verify Ubuntu 22.04 takes the appropriate action when the audit storage volume is full.\n\nCheck that Ubuntu 22.04 takes the appropriate action when the audit storage volume is full with the following command:\n\n$ sudo grep disk_full_action /etc/audit/auditd.conf\n\ndisk_full_action = HALT\n\nIf the value of the \"disk_full_action\" option is not \"SYSLOG\", \"SINGLE\", or \"HALT\", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.  If there is no evidence of appropriate action, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to shut down by default upon audit failure (unless availability is an overriding concern).\n\nAdd or update the following line (depending on configuration \"disk_full_action\" can be set to \"SYSLOG\" or \"SINGLE\" depending on configuration) in \"/etc/audit/auditd.conf\" file:\n\ndisk_full_action = HALT\n\nIf availability has been determined to be more important, and this decision is documented with the ISSO, configure the operating system to notify system administration staff and ISSO staff in the event of an audit processing failure by setting the \"disk_full_action\" to \"SYSLOG\"."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure auditd Disk Full Action when Disk Space Is Full", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_disk_full_action_stig/rule.yml", "template": null}