The audit system must have an action set up in case the internal event queue becomes full so that no data is lost. Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Off-loading is a common process in information systems with limited audit storage capacity.
If the value of the "overflow_action" option is not set to "syslog", "single", or "halt", or the line is commented out, ask the system administrator to indicate how the audit logs are off-loaded to a different system or media.
If there is no evidence that the audit system is configured to off-load the audit logs to another system or media, and if the overflow action is not set to take appropriate action if the internal event queue becomes full, this is a finding.
Fix
Configure RHEL 10 to take appropriate action when the internal event queue is full.
Edit the "/etc/audit/auditd.conf" file and add or update the "overflow_action" option:
overflow_action = syslog
Restart the audit daemon with the following command for the changes to take effect: