Detections
Analytics
RHEL-10-500115 - RHEL 10 must take appropriate action when the internal event queue is full.
Information
The audit system must have an action set up in case the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.Off-loading is a common process in information systems with limited audit storage capacity.
Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
Solution
Configure RHEL 10 to take appropriate action when the internal event queue is full.Edit the "/etc/audit/auditd.conf" file and add or update the "overflow_action" option:
overflow_action = syslog
Restart the audit daemon with the following command for the changes to take effect:
$ sudo service auditd restart
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_10_V1R1_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-4(1), CAT|II, CCI|CCI-001851, Rule-ID|SV-281109r1184691_rule, STIG-ID|RHEL-10-500115, Vuln-ID|V-281109
Plugin: Unix
Control ID: 99aa1050cc9c66a40a52e2644a20a59b02aa14649c60ad58077f042e5ffa252d