Skip to content

Configure audispd's Plugin network_failure_action On Network Failure

An XCCDF Rule

Description

Configure the action the operating system takes if there is an error sending audit records to a remote system. Edit the file /etc/audit/audisp-remote.conf. Add or modify the following line, substituting ACTION appropriately:

network_failure_action = ACTION
Set this value to single to cause the system to switch to single user mode for corrective action. Acceptable values also include syslog and halt. For certain systems, the need for availability outweighs the need to log all actions, and a different setting should be determined. This profile configures the action to be .

Rationale

Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.

ID
xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action
Severity
Medium
References
Updated



Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-90187-6
  - NIST-800-53-AU-5(1)

Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then

var_audispd_network_failure_action='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_audispd_network_failure_action" use="legacy"/>'