RHEL 9 audit system must take appropriate action when the audit files have reached maximum size.
An XCCDF Rule
Description
<VulnDiscussion>It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-258160r958426_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure RHEL 9 to rotate the audit log when it reaches maximum size.
Add or update the following line in "/etc/audit/auditd.conf" file:
max_log_file_action = ROTATE