{"description": "Perform basic configuration of Audit system.\nMake sure that any previously defined rules are cleared, the auditing system is configured to handle sudden bursts of events, and in cases of failure, messages are configured to be directed to system log.\n\nThe following rules configure audit as described above:\n<pre>## First rule - delete all\n-D\n\n## Increase the buffers to survive stress events.\n## Make this bigger for busy systems\n-b 8192\n\n## This determine how long to wait in burst of events\n--backlog_wait_time 60000\n\n## Set failure mode to syslog\n-f 1    </pre>\n\nLoad new Audit rules into kernel by running:\n<pre>augenrules --load</pre>", "rationale": "Without basic configurations, audit may not perform as expected. It may not be able to correctly handle events under stressful conditions, or log events in case of failure.", "severity": "medium", "references": {"nist": ["AU-2(a)"], "ospp": ["FAU_GEN.1"], "srg": ["SRG-OS-000365-GPOS-00152", "SRG-OS-000475-GPOS-00220"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the file does not exist or the content differs", "ocil": "To verify that the <tt>Audit</tt> is correctly configured according to recommended rules, check the content of the file with the following command:\n<pre>cat /etc/audit/rules.d/10-base-config.rules</pre>\nThe output has to be exactly as follows:\n<pre>## First rule - delete all\n-D\n\n## Increase the buffers to survive stress events.\n## Make this bigger for busy systems\n-b 8192\n\n## This determine how long to wait in burst of events\n--backlog_wait_time 60000\n\n## Set failure mode to syslog\n-f 1    </pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"performance": "It might happen that Audit buffer configured by this rule is not large enough for certain use cases. If that is the case, the buffer size can be overridden by placing <pre>-b larger_buffer_size</pre> into a file within <tt>/etc/audit/rules.d</tt> directory, replacing <tt>larger_file_size</tt> with the desired value. The file name should start with a number higher than 10 and lower than 99."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure basic parameters of Audit system", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/policy_rules/audit_basic_configuration/rule.yml", "template": {"name": "audit_file_contents", "vars": {"filepath": "/etc/audit/rules.d/10-base-config.rules", "contents": "## First rule - delete all\n-D\n\n## Increase the buffers to survive stress events.\n## Make this bigger for busy systems\n-b 8192\n\n## This determine how long to wait in burst of events\n--backlog_wait_time 60000\n\n## Set failure mode to syslog\n-f 1\n"}, "backends": {}}}