same problem here. (RHEL 3.0 ES Update 3)

With a heavy loaded machine, a 5 GB /var was full in a few hours.
after the /var filesystem is full, unable to log in, and when
rebooting (with CTRL-ALT-DEL on console), had messages saying /var was
unmountable and busy.

Hi - I think we can mitigate this by writing a shim to sit between
audit.conf and audbin.  I'll post a test copy here when I get a few
cycles to get something tidy.

# du -sh /var/log/audit.d/
7.5G    /var/log/audit.d

this is *really* horrible considering that audit is on by default in
fresh installs.  At least, can't we add a tmpwatch run for this directory?

Since people are having real problems with this: a workaround for 
this bug (described at 
http://ltp.sourceforge.net/docs/rheal3cu.html#Header_59) is to 
replace the "notify" command in /etc/audit/audit.conf 
with "notify=/bin/true".  We've been forced to do this on our 
systems, and it appears to be working as a stopgap way to address the 
problem.

This bug is now fixed in laus-0.1-67RHEL3, which should be in 
RHEL-3-U5, and which meanwhile can be downloaded from:
   http://people.redhat.com/~jvdias/laus/

'/usr/sbin/audbin' now has -T and -N options:

-T <threshold>
Specify  the  threshold  of  free  blocks  on the -S destination
filesystem that cannot be exceeded .  <threshold> must be a dec-
imal  number,  with  optional  fraction.   <threshold>  can be a
expressed as a percentage, in which case it must  end  with  the
’%’ character.
Examples:
-T 15000
Do  not  allow  the  number of free blocks on the -S destination
filesystem to fall below 15000 .
-T 20% Do not allow the number of free blocks  on the -S  desti-
nation  filesystem  to fall below 20% of the total blocks on the
filesystem.
If the  -N  option  is  not  specified,  and  the  threshold  is
exceeded,  audbin  will  return  an  error to auditd causing the
’output { error {’ action specified in  audit.conf  to  be  exe-
cuted.

-N <notify command>
If  the  -T threshold is going to be exceeded by creation of the
-S destination file, then the <notify command> will be run.
Occurences of the  string  %f  within  the  notify  command  are
replaced  by  the  path of the oldest file in the -S destination
directory.
Example:
-S /var/log/audit.d/save.%u -T 20% -N ’mv %f /backup’
will, when creation  of  the  new  /var/log/audit.d/save.N  file
would  cause the free blocks on the /var filesystem to amount to
less than 20% of the total  blocks,  move  the  oldest  file  in
/var/log/audit.d  with  a  name  prefixed by ’save.’ to /backup,
before attempting to create the new save.N file. If the  thresh-
old is still exceeded, the command is repeated for the next old-
est file until the disk usage is within the threshold .
If the -N command should fail (eg. in the example above, if  the
/backup filesystem is full), then audbin will return an error to
auditd causing the  ’output  {  error  {’  action  specified  in
audit.conf to be executed.


The default audit.conf now has a notify command of:
notify          = "/usr/sbin/audbin -S /var/log/audit.d/save.%u -C -T
20%";

By default, this will make auditd enter "suspend mode" when the 
number of free blocks on the /var filesystem is less than 20% of the
total blocks.
Users should implement their rotation / backup policy by adding a 
'-N' option to the audbin notify command, or change the default
'output { error { action' to be something other than suspend.

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-219.html