mediumauditverified ✓rollback-safe
Configure auditd internal event queue overflow action
auditd-overflow-action · RHEL ≥ 8 · 1 impl
Description
The auditd overflow_action parameter must be configured to take appropriate action when the internal event queue is full.
Rationale
If the internal event queue overflows without notification, audit events may be silently dropped, creating gaps in the audit trail that could mask malicious activity.
Check → Remediate
Checkconfig_value
- path:
- /etc/audit/auditd.conf
- key:
- overflow_action
- expected:
- syslog
Remediateconfig_set
- path:
- /etc/audit/auditd.conf
- key:
- overflow_action
- value:
- syslog
- separator:
- =
- restart:
- auditd
Framework references
STIG
V-258162V-230480V-281109 / RHEL-10-500115
NIST 800-53
AU-5
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd#configuration