← Rules Catalog
mediumauditverified rollback-safe

Configure auditd internal event queue overflow action

auditd-overflow-action · RHEL ≥ 8 · 1 impl

Description

The auditd overflow_action parameter must be configured to take appropriate action when the internal event queue is full.

Rationale

If the internal event queue overflows without notification, audit events may be silently dropped, creating gaps in the audit trail that could mask malicious activity.

Check → Remediate

Checkconfig_value
path:
/etc/audit/auditd.conf
key:
overflow_action
expected:
syslog
Remediateconfig_set
path:
/etc/audit/auditd.conf
key:
overflow_action
value:
syslog
separator:
=
restart:
auditd

Framework references

STIG

V-258162V-230480V-281109 / RHEL-10-500115

NIST 800-53

AU-5

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#auditd#configuration