{"description": "The <tt>auditd</tt> service can be configured to take an action\nwhen disk space is running low but prior to running out of space completely.\nEdit the file <tt>/etc/audit/auditd.conf</tt>. Add or modify the following line,\nsubstituting <i>ACTION</i> appropriately:\n<pre>admin_space_left_action = <i>ACTION</i></pre>\nSet this value to <tt>single</tt> to cause the system to switch to single user\nmode for corrective action. Acceptable values also include <tt>suspend</tt> and\n<tt>halt</tt>. For certain systems, the need for availability\noutweighs the need to log all actions, and a different setting should be\ndetermined. Details regarding all possible values for <i>ACTION</i> are described in the\n<tt>auditd.conf</tt> man page.", "rationale": "Administrators should be made aware of an inability to record\naudit records. If a separate partition or logical volume of adequate size\nis used, running low on space for audit records should never occur.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8"], "cjis": ["5.4.1.1"], "cobit5": ["APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI04.04", "BAI08.02", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.04", "DSS05.07", "MEA02.01"], "cui": ["3.3.1"], "hipaa": ["164.312(a)(2)(ii)"], "isa-62443-2009": ["4.2.3.10", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1", "SR 7.1", "SR 7.2"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.17.2.1"], "nist": ["AU-5(b)", "AU-5(2)", "AU-5(1)", "AU-5(4)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "PR.DS-4", "PR.PT-1", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.7"], "srg": ["SRG-OS-000343-GPOS-00134"], "cis": ["6.3.2.4"], "pcidss4": ["10.5.1", "10.5"]}, "control_references": {"cis": ["6.3.2.4"], "pcidss4": ["10.5.1", "10.5"]}, "components": [], "identifiers": {}, "ocil_clause": "there is no evidence that real-time alerts are configured on the system", "ocil": "Verify that Ubuntu 22.04 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:\n\n<pre>$ sudo grep admin_space_left_action /etc/audit/auditd.conf\n\nadmin_space_left_action = single</pre>\n\nIf the value of the \"admin_space_left_action\" is not set to \"single\", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.", "oval_external_content": null, "fixtext": "Configure \"auditd\" service  to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:\n\n<pre>admin_space_left_action = single</pre>\n\nThe audit daemon must be restarted for changes to take effect.", "checktext": "", "vuldiscussion": "If security personnel are not notified immediately when storage volume reaches 90% utilization, they are unable to plan for audit record storage capacity expansion.", "srg_requirement": "Ubuntu 22.04 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.\nUbuntu 22.04 must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must take action when allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.", "vuldiscussion": "If action is not taken when storage volume reaches 95% utilization the auditing system may fail when the storage volume reaches capacity.", "checktext": "Verify that Ubuntu 22.04 is configured to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:\n\n$ sudo grep admin_space_left_action /etc/audit/auditd.conf\n\nadmin_space_left_action = single\n\nIf the value of the \"admin_space_left_action\" is not set to \"single\", or if the line is commented out, ask the System Administrator to indicate how the system is providing real-time alerts to the SA and ISSO.\n\nIf there is no evidence that real-time alerts are configured on the system, this is a finding.", "fixtext": "Configure \"auditd\" service  to take action in the event of allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity.\n\nEdit the following line in \"/etc/audit/auditd.conf\" to ensure that the system is forced into single user mode in the event the audit record storage volume is about to reach maximum capacity:\n\nadmin_space_left_action = single\n\nThe audit daemon must be restarted for changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Configure auditd admin_space_left Action on Low Disk Space", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_admin_space_left_action/rule.yml", "template": null}