SRG-OS-000342-GPOS-00133<GroupDescription></GroupDescription>RHEL-07-030320The audit system must take appropriate action when the audit storage volume is full.<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 7DISADPMS TargetRed Hat 72777CCI-001851Configure the action the operating system takes if the disk the audit records are written to becomes full.^M
^M
Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:^M
^M
disk_full_action = single^M
^M
Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt".Verify the action the operating system takes if the disk the audit records are written to becomes full.^M
^M
To determine the action that takes place if the disk is full on the remote server, use the following command:^M
^M
# grep -i disk_full_action /etc/audisp/audisp-remote.conf^M
disk_full_action = single^M
^M
To determine the action that takes place if the network connection fails, use the following command:^M
^M
# grep -i network_failure_action /etc/audisp/audisp-remote.conf^M
network_failure_action = stop^M
^M
If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.^M
^M
If the value of the "disk_full_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.