← Rules Catalog
mediumauditunverified

Ensure auditd admin_space_left threshold is configured

auditd-admin-space-left-threshold · RHEL ≥ 8 · 1 impl

Description

/etc/audit/auditd.conf must set admin_space_left to at least 5% (or an absolute value per policy) so the admin_space_left_action triggers with headroom.

Rationale

Without an adequate admin_space_left threshold, the audit partition can fill before the configured action fires, risking loss of audit data.

Check → Remediate

Checkcommand
v=$(grep -iE '^[[:space:]]*admin_space_left[[:space:]]*=' /etc/audit/auditd.conf 2>/dev/null | tail -1 | sed -E 's/.*=[[:space:]]*//; s/%.*//; s/[[:space:]]//g')
[ -n "$v" ] || { echo "FAIL: admin_space_left not set"; exit 1; }
# Percentage form: must be >=5. Absolute (large) values are accepted.
case "$v" in
  *[!0-9]*) echo "FAIL: admin_space_left '$v' not numeric"; exit 1 ;;
esac
if [ "$v" -ge 5 ]; then echo "OK: admin_space_left=$v"; exit 0; fi
echo "FAIL: admin_space_left=$v (must be >=5%)"; exit 1
expected_exit:
0
Remediateconfig_set
path:
/etc/audit/auditd.conf
key:
admin_space_left
value:
5%
separator:
=

Framework references

STIG

V-281107 / RHEL-10-500105V-258158 / RHEL-09-653045

NIST 800-53

AU-5
#audit#auditd#disk-space#stig