RHEL 9 must take appropriate action when the internal event queue is full.
An XCCDF Rule
Description
The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
- ID
- SV-258162r958754_rule
- Version
- RHEL-09-653065
- Severity
- Medium
- References
- Updated
Remediation Templates
A Manual Procedure
Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option:
overflow_action = syslog
The audit daemon must be restarted for changes to take effect.