Skip to content

Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

An XCCDF Rule

Description

The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action to one of the following values: syslog, single, halt.

Rationale

The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.

ID
xccdf_org.ssgproject.content_rule_auditd_overflow_action
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AU-4(1)
  - auditd_overflow_action

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

if [ -e "/etc/audit/auditd.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf"