The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

An XCCDF Rule

Description

<VulnDiscussion>Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-204511r877390_rule
Severity: Medium
References: CCI-001851
Updated: 8 months ago

Configure the action the operating system takes if the disk the audit records are written to becomes full.

Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:

disk_full_action = single

The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

Description

Remediation - Manual Procedure