The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

An XCCDF Rule

Details
Profiles

Description

Taking appropriate action in case of a filled audit storage volume will minimize the possibility of losing audit records. One method of off-loading audit logs in Red Hat Enterprise Linux is with the use of the audisp-remote dameon.

ID: SV-204511r877390_rule
Version: RHEL-07-030320
Severity: Medium
References: CCI-001851
Updated: 5 days ago

Remediation Templates

Configure the action the operating system takes if the disk the audit records are written to becomes full.

Uncomment or edit the "disk_full_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt", such as the following line:

disk_full_action = single

The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full.

Description

Remediation Templates

A Manual Procedure