4.9 Ensure action is taken when audisp-remote buffer is full

Information

The operating system must take appropriate action when the audisp-remote buffer is full.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

When the remote buffer is full, audit logs will not be collected and sent to the central log server.

Solution

Edit the /etc/audisp/audispd.conf file and add or update the overflow_action option:
Example: vim /etc/audisp/audispd.conf
Add, update or uncomment the following line:

overflow_action = syslog

The audit daemon must be restarted for changes to take effect:

# service auditd restart

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-81019

Rule ID: SV-95731r1_rule

STIG ID: RHEL-07-030210

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5b.

Plugin: Unix

Control ID: e5a0b28cd80f80e802c2bc5c10a0f0425123b5d175c3987af4674c5d7089b537