If action is not taken when storage volume reaches 95 percent utilization, the auditing system may fail when the storage volume reaches capacity.
Check
Verify RHEL 10 is configured to take action if allocated audit record storage volume reaches 95 percent of the repository maximum audit record storage capacity with the following command:
$ sudo grep admin_space_left_action /etc/audit/auditd.conf admin_space_left_action = single
If the value of the "admin_space_left_action" is not set to "single", or if the line is commented out, ask the system administrator (SA) to indicate how the system is providing real-time alerts to the SA and information system security officer (ISSO).
If there is no evidence that real-time alerts are configured on the system, this is a finding.
Fix
Configure RHEL 10 auditd service to take action if allocated audit record storage volume reaching 95 percent of the repository maximum audit record storage capacity.
Edit the following line in "/etc/audit/auditd.conf" to ensure the system is forced into single user mode if the audit record storage volume is about to reach maximum capacity:
admin_space_left_action = single
Restart the audit daemon with the following command for the changes to take effect: