4.1.2.12 Ensure action is taken when audisp-remote buffer is full

Information

The operating system must take appropriate action when the audisp-remote buffer is full.

Rationale:

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Off-loading is a common process in information systems with limited audit storage capacity.

When the remote buffer is full, audit logs will not be collected and sent to the central log server.

Solution

Edit the /etc/audisp/audispd.conf file and add or update the overflow_action option:
Example: vim /etc/audisp/audispd.conf
Add, update or uncomment the following line:

overflow_action = syslog

The audit daemon must be restarted for changes to take effect:

# service auditd restart

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CCI|CCI-001851, CSCv7|6.2, Rule-ID|SV-204507r603261_rule, STIG-ID|RHEL-07-030210

Plugin: Unix

Control ID: edd1af3855fcb904b54d9c5506010463ec1a446d05170e778d4344990813da07