← Rules Catalog
mediumauditunverified

Ensure auditd takes action on a critical audit processing failure

auditd-failure-action · RHEL ≥ 10 · 1 impl

Description

The audit rules must set the failure flag ("-f") to "2" so that RHEL 10 panics when a critical audit processing failure occurs. A value of "1" (printk) is acceptable only when availability is documented as an overriding concern.

Rationale

If auditd silently continues after it can no longer record events, actions go unaudited. Failing to a panic (or at least a logged printk) ensures a critical audit failure is not ignored.

Check → Remediate

Checkcommand
# Read the loaded rules artifact (/etc/audit/audit.rules), exactly as the
# STIG does — not the staged rules.d fragments, which may differ from the
# running config until augenrules --load is run.
f=$(grep -hE '^[[:space:]]*-f[[:space:]]+[0-9]' /etc/audit/audit.rules 2>/dev/null \
      | awk '{print $2}' | tail -1)
case "$f" in
  2)
    echo "OK: audit failure flag is -f 2 (panic on critical audit failure)"
    exit 0 ;;
  1)
    echo "MANUAL REVIEW REQUIRED: audit failure flag is -f 1 (printk). This is a finding UNLESS availability is documented as an overriding concern; otherwise set -f 2."
    exit 0 ;;
  *)
    echo "FAIL: audit failure flag -f is '${f:-unset}' (must be 2, or 1 with documented availability concern)"
    exit 1 ;;
esac
expected_exit:
0
Remediatemanual
note:
Set the audit failure flag to panic by adding "-f 2" to /etc/audit/rules.d/audit.rules (or "-f 1" if availability is a documented overriding concern), then regenerate the rules with augenrules --load.

Framework references

STIG

V-281103 / RHEL-10-500035

NIST 800-53

AU-5
#audit#auditd#failure-action#stig#manual