The default configuration for ``disk_error_action`` is ``SUSPEND``, which only suspends audit logging when there is a disk error on the system. Suspending audit logging can lead to security problems because the system is no longer keeping track of which syscalls were made. The security role sets the configuration to ``SYSLOG`` so that messages are sent to syslog when disk errors occur. There are additional options available, like ``EXEC``, ``SINGLE`` or ``HALT``. To configure a different ``disk_error_action``, set the following Ansible variable: .. code-block:: yaml security_disk_error_action: SYSLOG For details on available settings and what they do, run ``man auditd.conf``. Some options can cause the host to go offline until the issue is fixed. Deployers are urged to **carefully read the auditd documentation** prior to changing the ``security_disk_error_action`` setting from the default.