If security personnel are not notified immediately when storage volume reaches 75 percent utilization, they are unable to plan for audit record storage capacity expansion.

[225]

Fix:Check the system configuration to determine the partition to which the audit records are written: > sudo grep -iw log_file /etc/audit/auditd.conf Determine the size of the partition to which audit records are written (e.g., "/var/log/audit/"): > df -h /var/log/audit/ Set the value of the "space_left" keyword in "/etc/audit/auditd.conf" to 25 percent of the partition size.