SV-234958r622137_rule
V-234958
SRG-OS-000047-GPOS-00023
SLES-15-030590
CAT II
10
Configure the SUSE operating system to shut down by default upon audit failure (unless availability is an overriding concern).
Add or update the following line (depending on configuration "disk_full_action" can be set to "SYSLOG", "SINGLE", or "HALT" depending on configuration) in "/etc/audit/auditd.conf" file:
disk_full_action = HALT
Verify the SUSE operating system takes the appropriate action when the audit storage volume is full.
Check that the SUSE operating system takes the appropriate action when the audit storage volume is full with the following command:
> sudo grep disk_full_action /etc/audit/auditd.conf
disk_full_action = SYSLOG
If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.
V-234958
False
SLES-15-030590
Verify the SUSE operating system takes the appropriate action when the audit storage volume is full.
Check that the SUSE operating system takes the appropriate action when the audit storage volume is full with the following command:
> sudo grep disk_full_action /etc/audit/auditd.conf
disk_full_action = SYSLOG
If the value of the "disk_full_action" option is not "SYSLOG", "SINGLE", or "HALT", or the line is commented out, this is a finding.
M
5274