The Oracle Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-99285	OL07-00-030321	SV-108389r1_rule		Medium

Description
Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.

STIG	Date
Oracle Linux 7 Security Technical Implementation Guide	2020-05-29

Details

Check Text ( C-98131r1_chk )
Verify the action the operating system takes if there is an error sending audit records to a remote system. Check the action that takes place if there is an error sending audit records to a remote system with the following command: # grep -i network_failure_action /etc/audisp/audisp-remote.conf network_failure_action = syslog If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Check Text ( C-98131r1_chk )

Verify the action the operating system takes if there is an error sending audit records to a remote system.

Check the action that takes place if there is an error sending audit records to a remote system with the following command:

# grep -i network_failure_action /etc/audisp/audisp-remote.conf
network_failure_action = syslog

If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Fix Text (F-104967r1_fix)
Configure the action the operating system takes if there is an error sending audit records to a remote system. Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". network_failure_action = syslog