Hello, We have a RHEL6 system with the disk_full_action set to HALT. I'm working on procedures for what to do if this case occurs. When the log partition fills up, the system shuts down. However, the system will not boot after this because as soon as auditd tries to start, the system immediately shuts down again. What are the options for recovering after this happens? I've come up with two: 1) Stop the boot process at grub and disable audit by adding a kernel parameter 'audit=0'. 2) If grub timeout is 0, use a live CD to access the audit partition. I'm sure there are some variations on option 1 using an interactive boot. Are there any other options I missed, especially if grub timeout has been set to 0? Thanks, Andrew Ruch -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit