Shutdown System When Auditing Failures Occur
An XCCDF Rule
Description
If the auditd
daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the
default), add the following line to to the bottom of a file with suffix
.rules
in the directory /etc/audit/rules.d
:
-fIf the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following line to the
bottom of the /etc/audit/audit.rules
file:
-f
Rationale
It is critical for the appropriate personnel to be aware if a system
is at risk of failing to process audit logs as required. Without this
notification, the security personnel may be unaware of an impending failure of
the audit capability, and system operation may be adversely affected.
Audit processing failures include software/hardware errors, failures in the
audit capturing mechanisms, and audit storage capacity being reached or
exceeded.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_system_shutdown
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-09-654265
- NIST-800-171-3.3.1
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_audit_failure_mode='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_audit_failure_mode" use="legacy"/>'