The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.

An XCCDF Rule

Details
Profiles

Description

Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon. When the remote buffer is full, audit logs will not be collected and sent to the central log server. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224

ID: SV-204507r877390_rule
Version: RHEL-07-030210
Severity: Medium
References: CCI-001851
Updated: 4 days ago

Remediation Templates

Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option:

overflow_action = syslog

The audit daemon must be restarted for changes to take effect:

# service auditd restart

The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full.

Description

Remediation Templates

A Manual Procedure