Configure auditd space_left Action on Low Disk Space

Classification:

compliance

Framework:

Control:

Description

The auditd service can be configured to take an action when disk space starts to run low. Edit the file /etc/audit/auditd.conf. Modify the following line, substituting ACTION appropriately:

space_left_action = *ACTION*

Possible values for ACTION are described in the auditd.conf man page. These include:

  • syslog
  • email
  • exec
  • suspend
  • single
  • halt

Set this to email (instead of the default, which is suspend) as it is more likely to get prompt attention. Acceptable values also include suspend, single, and halt.

Rationale

Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.