ALMA-09-052380 - AlmaLinux OS 9 must take appropriate action when the internal event queue is full.

Information

The audit system should have an action setup in the event the internal event queue becomes full so that no data is lost.

Solution

Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option:

overflow_action = SYSLOG

The audit daemon must be restarted for changes to take effect.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CL_AlmaLinux_OS_9_V1R1_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, Rule-ID|SV-269511r1050394_rule, STIG-ID|ALMA-09-052380, Vuln-ID|V-269511

Plugin: Unix

Control ID: 7cddaf338eb331dab4f539e800962761fbd64c8a24f24da37f7c8403a711f378