STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021: STIGQter: STIG Summary: Red Hat Enterprise Linux 8 Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 23 Apr 2021:SV-230480r627750_rule
V-230480
SRG-OS-000342-GPOS-00133
RHEL-08-030700
CAT II
10
Edit the /etc/audit/auditd.conf file and add or update the "overflow_action" option:
overflow_action = syslog
The audit daemon must be restarted for changes to take effect.
Verify the audit system is configured to take an appropriate action when the internal event queue is full:
$ sudo grep -i overflow_action /etc/audit/auditd.conf
overflow_action = syslog
If the value of the "overflow_action" option is not set to "syslog", "single", "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.
If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.
V-230480
False
RHEL-08-030700
Verify the audit system is configured to take an appropriate action when the internal event queue is full:
$ sudo grep -i overflow_action /etc/audit/auditd.conf
overflow_action = syslog
If the value of the "overflow_action" option is not set to "syslog", "single", "halt", or the line is commented out, ask the System Administrator to indicate how the audit logs are off-loaded to a different system or media.
If there is no evidence that the transfer of the audit logs being off-loaded to another system or media takes appropriate action if the internal event queue becomes full, this is a finding.
M
2921