OL6-00-000005 - The audit system must alert designated staff members when the audit storage volume approaches capacity.


Notifying administrators of an impending disk space problem may allow them to take corrective action prior to any disruption.


The 'auditd' service can be configured to take an action when disk space starts to run low. Edit the file '/etc/audit/auditd.conf'. Modify the following line, substituting [ACTION] appropriately:

space_left_action = [ACTION]

Possible values for [ACTION] are described in the 'auditd.conf' man page. These include: 'ignore',
'syslog', 'email', 'exec', 'suspend', 'single', and 'halt'. Set this to 'email' (instead of the default, which is 'suspend') as it is more likely to get prompt attention. The 'syslog' option is acceptable, provided the local log management infrastructure notifies an appropriate administrator in a timely manner.

OL6-00-000521 ensures that the email generated through the operation 'space_left_action' will be sent to an administrator.

Supportive Information

The following resource is also helpful.

This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.