Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-99275 | OL07-00-030210 | SV-108379r1_rule | Medium |
Description |
---|
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity. When the remote buffer is full, audit logs will not be collected and sent to the central log server. Satisfies: SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224 |
STIG | Date |
---|---|
Oracle Linux 7 Security Technical Implementation Guide | 2020-05-29 |
Check Text ( C-98121r1_chk ) |
---|
Verify the audisp daemon is configured to take an appropriate action when the internal queue is full: # grep "overflow_action" /etc/audisp/audispd.conf overflow_action = syslog If the "overflow_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding. |
Fix Text (F-104957r1_fix) |
---|
Edit the /etc/audisp/audispd.conf file and add or update the "overflow_action" option: overflow_action = syslog The audit daemon must be restarted for changes to take effect: # service auditd restart |