Configure audispd's Plugin network_failure_action On Network Failure
An XCCDF Rule
Description
Configure the action the operating system takes if there is an error sending
audit records to a remote system. Edit the file /etc/audit/audisp-remote.conf
.
Add or modify the following line, substituting ACTION appropriately:
network_failure_action = ACTIONSet this value to
single
to cause the system to switch to single user
mode for corrective action. Acceptable values also include syslog
and
halt
. For certain systems, the need for availability
outweighs the need to log all actions, and a different setting should be
determined.
This profile configures the action to be
.
Rationale
Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.
- ID
- xccdf_org.ssgproject.content_rule_auditd_audispd_network_failure_action
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-90187-6
- NIST-800-53-AU-5(1)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_audispd_network_failure_action='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_audispd_network_failure_action" use="legacy"/>'