Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
An XCCDF Rule
Description
The audit system should have an action setup in the event the internal event queue becomes full.
To setup an overflow action edit /etc/audit/auditd.conf
. Set overflow_action
to one of the following values: syslog
, single
, halt
.
Rationale
The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.
- ID
- xccdf_org.ssgproject.content_rule_auditd_overflow_action
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- DISA-STIG-RHEL-08-030700
- NIST-800-53-AU-4(1)
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
if [ -e "/etc/audit/auditd.conf" ] ; then
LC_ALL=C sed -i "/^\s*overflow_action\s*=\s*/Id" "/etc/audit/auditd.conf"