Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

An XCCDF Rule

Description

The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action to one of the following values: syslog, single, halt.

Rationale

The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.

ID: xccdf_org.ssgproject.content_rule_auditd_overflow_action
Severity: Medium
References: CCI-001851

AU-4(1)

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224

OL08-00-030700

SV-248815r877390_rule
Updated: about 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - DISA-STIG-OL08-00-030700
  - NIST-800-53-AU-4(1)  - auditd_overflow_action
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
  block:

  - name: Check for duplicate values
    lineinfile:
      path: /etc/audit/auditd.conf
      create: true
      regexp: (?i)^\s*overflow_action\s*=\s*
      state: absent
    check_mode: true
    changed_when: false
    register: dupes

  - name: Deduplicate values from /etc/audit/auditd.conf
    lineinfile:
      path: /etc/audit/auditd.conf
      create: true
      regexp: (?i)^\s*overflow_action\s*=\s*
      state: absent
    when: dupes.found is defined and dupes.found > 1

  - name: Insert correct line to /etc/audit/auditd.conf
    lineinfile:
      path: /etc/audit/auditd.conf
      create: true
      regexp: (?i)^\s*overflow_action\s*=\s*
      line: overflow_action = syslog
      state: present
  when:
  - '"audit" in ansible_facts.packages'
  - ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - DISA-STIG-OL08-00-030700
  - NIST-800-53-AU-4(1)
  - auditd_overflow_action
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

if [ -e "/etc/audit/auditd.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf"else
    touch "/etc/audit/auditd.conf"
fi
# make sure file has newline at the end
sed -i -e '$a\' "/etc/audit/auditd.conf"

cp "/etc/audit/auditd.conf" "/etc/audit/auditd.conf.bak"
# Insert at the end of the file
printf '%s\n' "overflow_action = syslog" >> "/etc/audit/auditd.conf"
# Clean up after ourselves.
rm "/etc/audit/auditd.conf.bak"

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

Description

Rationale

Remediation - Ansible

Remediation - Shell Script