Configure basic parameters of Audit system
An XCCDF Rule
Description
Perform basic configuration of Audit system. Make sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log. The following rules configure audit as described above:
## First rule - delete all -D ## Increase the buffers to survive stress events. ## Make this bigger for busy systems -b 8192 ## This determine how long to wait in burst of events --backlog_wait_time 60000 ## Set failure mode to syslog -f 1Load new Audit rules into kernel by running:
augenrules --load
warning alert: Performance Warning
It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing
-b larger_buffer_sizeinto a file within
/etc/audit/rules.d
directory, replacing larger_file_size
with the desired value. The file name should start with a number higher than 10 and lower than 99.Rationale
Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.
- ID
- xccdf_org.ssgproject.content_rule_audit_basic_configuration
- Severity
- Medium
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
cat << 'EOF' > /etc/audit/rules.d/10-base-config.rules
## First rule - delete all
-D
Remediation - Ansible
- name: Put contents into /etc/audit/rules.d/10-base-config.rules according to policy
copy:
dest: /etc/audit/rules.d/10-base-config.rules
content: |+
## First rule - delete all
-D