Appropriate Action Must be Setup When the Internal Audit Event Queue is Full

Description

The audit system should have an action setup in the event the internal event queue becomes full. To setup an overflow action edit /etc/audit/auditd.conf. Set overflow_action to one of the following values: syslog, single, halt.

Rationale

The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.

ID: xccdf_org.ssgproject.content_rule_auditd_overflow_action
Severity: Medium
References: CCI-001851

AU-4(1)

SRG-OS-000342-GPOS-00133 SRG-OS-000479-GPOS-00224
Updated: about 1 year ago