Skip to content

Configure basic parameters of Audit system

An XCCDF Rule

Description

Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. The following rules configure audit as described above:

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1    
Load new Audit rules into kernel by running:
augenrules --load

warning alert: Performance Warning

It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing
-b larger_buffer_size
into a file within /etc/audit/rules.d directory, replacing larger_file_size with the desired value. The file name should start with a number higher than 10 and lower than 99.

Rationale

Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.

ID
xccdf_org.ssgproject.content_rule_audit_basic_configuration
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

cat << 'EOF' > /etc/audit/rules.d/10-base-config.rules
## First rule - delete all
-D

Remediation - Ansible

- name: Put contents into /etc/audit/rules.d/10-base-config.rules according to policy
  copy:
    dest: /etc/audit/rules.d/10-base-config.rules
    content: |+
      ## First rule - delete all
      -D