The audit system must take appropriate action when there is an error sending audit records to a remote system.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-73163	RHEL-07-030321	SV-87815r2_rule		Medium

Description
Taking appropriate action when there is an error sending audit records to a remote system will minimize the possibility of losing audit records.

STIG	Date
Red Hat Enterprise Linux 7 Security Technical Implementation Guide	2017-12-14

Details

Check Text ( C-73287r3_chk )
Verify the action the operating system takes if there is an error sending audit records to a remote system. Check the action that takes place if there is an error sending audit records to a remote system with the following command: # grep -i network_failure_action /etc/audisp/audisp-remote.conf network_failure_action = stop If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Check Text ( C-73287r3_chk )

Verify the action the operating system takes if there is an error sending audit records to a remote system.

Check the action that takes place if there is an error sending audit records to a remote system with the following command:

# grep -i network_failure_action /etc/audisp/audisp-remote.conf
network_failure_action = stop

If the value of the "network_failure_action" option is not "syslog", "single", or "halt", or the line is commented out, this is a finding.

Fix Text (F-79609r1_fix)
Configure the action the operating system takes if there is an error sending audit records to a remote system. Uncomment the "network_failure_action" option in "/etc/audisp/audisp-remote.conf" and set it to "syslog", "single", or "halt". network_failure_action = single