scap-security-guide/SOURCES/scap-security-guide-0.1.58-RHEL_08_030700-PR_7264.patch

diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
new file mode 100644
index 0000000000..4f88ed361d
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_fedora,multi_platform_rhel
+
+{{{ ansible_set_config_file(file="/etc/audit/auditd.conf",
+                  parameter="overflow_action",
+                  value="syslog",
+                  separator="=",
+                  separator_regex="=",
+                  prefix_regex="^\s*") }}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
new file mode 100644
index 0000000000..539b9b6582
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
@@ -0,0 +1,12 @@
+# platform = multi_platform_fedora,multi_platform_rhel
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{set_config_file(path="/etc/audit/auditd.conf",
+                  parameter="overflow_action",
+                  value="syslog",
+                  separator="=",
+                  separator_regex="=",
+                  prefix_regex="^\s*")}}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
new file mode 100644
index 0000000000..fd45280e4e
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
@@ -0,0 +1,6 @@
+{{{ oval_check_config_file(
+    path="/etc/audit/auditd.conf",
+    prefix_regex="^(?:.*\\n)*\s*",
+    parameter="overflow_action",
+    value="syslog|single|halt",
+    separator_regex="\s*=\s*") }}}
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
new file mode 100644
index 0000000000..d41ca00076
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
@@ -0,0 +1,36 @@
+documentation_complete: true
+
+title: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
+
+description: |-
+    The audit system should have an action setup in the event the internal event queue becomes full.
+    To setup an overflow action edit <tt>/etc/audit/auditd.conf</tt>. Set <tt>overflow_action</tt>
+    to one of the following values: <tt>syslog</tt>, <tt>single</tt>, <tt>halt</tt>.
+
+
+rationale: |-
+    The audit system should have an action setup in the event the internal event queue becomes full
+    so that no data is lost.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-85889-4
+
+references:
+    disa: CCI-001851
+    nist: AU-4(1)
+    srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224
+    stigid@rhel8: RHEL-08-030700
+
+ocil_clause: 'auditd overflow action is not setup correctly'
+
+ocil: |-
+    Verify the audit system is configured to take an appropriate action when the internal event queue is full:
+    <pre>$ sudo grep -i overflow_action /etc/audit/auditd.conf</pre>
+
+    The output should contain be like <tt>overflow_action = syslog</tt>
+
+    If the value of the "overflow_action" option is not set to <tt>syslog</tt>, 
+    <tt>single</tt>, <tt>halt</tt> or the line is commented out, ask the System Administrator
+    to indicate how the audit logs are off-loaded to a different system or media. 
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
new file mode 100644
index 0000000000..ec7525b195
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "# overflow_action = syslog" >> /etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
new file mode 100644
index 0000000000..e4d173ab37
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+if [[ -f $config_file ]]; then
+    echo '' > $config_file
+fi
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
new file mode 100644
index 0000000000..f26cd7cddf
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+config_file=/etc/audit/auditd.conf
+
+if [[ -f $config_file ]]; then
+    rm -f $config_file
+fi
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
new file mode 100644
index 0000000000..0ec591b25b
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "overflow_action = halt" >> /etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
new file mode 100644
index 0000000000..236ad543fe
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "overflow_action = ignore" >> /etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
new file mode 100644
index 0000000000..74efdcafee
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+config_file=/etc/audit/auditd.conf
+sed -i "s/^.*overflow_action.*$//" $config_file
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
new file mode 100644
index 0000000000..de11126320
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# Use this script to ensure the audit directory structure and audit conf file
+# exist in the test env.
+config_file=/etc/audit/auditd.conf
+
+# Ensure directory structure exists (useful for container based testing)
+test -d /etc/audit/ || mkdir -p /etc/audit/
+
+test -f $config_file || touch $config_file
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
new file mode 100644
index 0000000000..f9fa7a935c
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "overflow_action = single" >> /etc/audit/auditd.conf
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
new file mode 100644
index 0000000000..1c625fb752
--- /dev/null
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+# Ensure test system has proper directories/files for test scenario
+bash -x setup.sh
+
+echo "overflow_action = syslog" >> /etc/audit/auditd.conf
diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile
index 6372d13cfc..5cac78e00d 100644
--- a/products/rhel8/profiles/stig.profile
+++ b/products/rhel8/profiles/stig.profile
@@ -826,6 +826,7 @@ selections:
     - rsyslog_remote_loghost
 
     # RHEL-08-030700
+    - auditd_overflow_action
 
     # RHEL-08-030710
 
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
index 24e8149168..b3d9596e1f 100644
--- a/shared/references/cce-redhat-avail.txt
+++ b/shared/references/cce-redhat-avail.txt
@@ -27,7 +27,6 @@ CCE-85885-2
 CCE-85886-0
 CCE-85887-8
 CCE-85888-6
-CCE-85889-4
 CCE-85890-2
 CCE-85891-0
 CCE-85892-8
diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile
index 32f1a24a7a..c9d23ed1dc 100644
--- a/tests/data/profile_stability/rhel8/stig.profile
+++ b/tests/data/profile_stability/rhel8/stig.profile
@@ -73,6 +73,7 @@ selections:
 - auditd_local_events
 - auditd_log_format
 - auditd_name_format
+- auditd_overflow_action
 - banner_etc_issue
 - bios_enable_execution_restrictions
 - chronyd_client_only
diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile
index d6a27c67dc..7303145141 100644
--- a/tests/data/profile_stability/rhel8/stig_gui.profile
+++ b/tests/data/profile_stability/rhel8/stig_gui.profile
@@ -84,6 +84,7 @@ selections:
 - auditd_local_events
 - auditd_log_format
 - auditd_name_format
+- auditd_overflow_action
 - banner_etc_issue
 - bios_enable_execution_restrictions
 - chronyd_client_only
import scap-security-guide-0.1.57-3.el8 2021-08-24 22:41:12 +00:00			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml`
			`new file mode 100644`
			`index 0000000000..4f88ed361d`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml`
			`@@ -0,0 +1,8 @@`
			`+# platform = multi_platform_fedora,multi_platform_rhel`
			`+`
			`+{{{ ansible_set_config_file(file="/etc/audit/auditd.conf",`
			`+ parameter="overflow_action",`
			`+ value="syslog",`
			`+ separator="=",`
			`+ separator_regex="=",`
			`+ prefix_regex="^\s*") }}}`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh`
			`new file mode 100644`
			`index 0000000000..539b9b6582`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh`
			`@@ -0,0 +1,12 @@`
			`+# platform = multi_platform_fedora,multi_platform_rhel`
			`+# reboot = true`
			`+# strategy = restrict`
			`+# complexity = low`
			`+# disruption = low`
			`+`
			`+{{{set_config_file(path="/etc/audit/auditd.conf",`
			`+ parameter="overflow_action",`
			`+ value="syslog",`
			`+ separator="=",`
			`+ separator_regex="=",`
			`+ prefix_regex="^\s*")}}}`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml`
			`new file mode 100644`
			`index 0000000000..fd45280e4e`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml`
			`@@ -0,0 +1,6 @@`
			`+{{{ oval_check_config_file(`
			`+ path="/etc/audit/auditd.conf",`
			`+ prefix_regex="^(?:.\\n)\s*",`
			`+ parameter="overflow_action",`
			`+ value="syslog\|single\|halt",`
			`+ separator_regex="\s=\s") }}}`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml`
			`new file mode 100644`
			`index 0000000000..d41ca00076`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml`
			`@@ -0,0 +1,36 @@`
			`+documentation_complete: true`
			`+`
			`+title: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full`
			`+`
			`+description: \|-`
			`+ The audit system should have an action setup in the event the internal event queue becomes full.`
			`+ To setup an overflow action edit <tt>/etc/audit/auditd.conf</tt>. Set <tt>overflow_action</tt>`
			`+ to one of the following values: <tt>syslog</tt>, <tt>single</tt>, <tt>halt</tt>.`
			`+`
			`+`
			`+rationale: \|-`
			`+ The audit system should have an action setup in the event the internal event queue becomes full`
			`+ so that no data is lost.`
			`+`
			`+severity: medium`
			`+`
			`+identifiers:`
			`+ cce@rhel8: CCE-85889-4`
			`+`
			`+references:`
			`+ disa: CCI-001851`
			`+ nist: AU-4(1)`
			`+ srg: SRG-OS-000342-GPOS-00133,SRG-OS-000479-GPOS-00224`
			`+ stigid@rhel8: RHEL-08-030700`
			`+`
			`+ocil_clause: 'auditd overflow action is not setup correctly'`
			`+`
			`+ocil: \|-`
			`+ Verify the audit system is configured to take an appropriate action when the internal event queue is full:`
			`+ <pre>$ sudo grep -i overflow_action /etc/audit/auditd.conf</pre>`
			`+`
			`+ The output should contain be like <tt>overflow_action = syslog</tt>`
			`+`
			`+ If the value of the "overflow_action" option is not set to <tt>syslog</tt>,`
			`+ <tt>single</tt>, <tt>halt</tt> or the line is commented out, ask the System Administrator`
			`+ to indicate how the audit logs are off-loaded to a different system or media.`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh`
			`new file mode 100644`
			`index 0000000000..ec7525b195`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh`
			`@@ -0,0 +1,5 @@`
			`+#!/bin/bash`
			`+# Ensure test system has proper directories/files for test scenario`
			`+bash -x setup.sh`
			`+`
			`+echo "# overflow_action = syslog" >> /etc/audit/auditd.conf`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh`
			`new file mode 100644`
			`index 0000000000..e4d173ab37`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh`
			`@@ -0,0 +1,7 @@`
			`+#!/bin/bash`
			`+# Ensure test system has proper directories/files for test scenario`
			`+bash -x setup.sh`
			`+`
			`+if [[ -f $config_file ]]; then`
			`+ echo '' > $config_file`
			`+fi`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh`
			`new file mode 100644`
			`index 0000000000..f26cd7cddf`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh`
			`@@ -0,0 +1,7 @@`
			`+#!/bin/bash`
			`+`
			`+config_file=/etc/audit/auditd.conf`
			`+`
			`+if [[ -f $config_file ]]; then`
			`+ rm -f $config_file`
			`+fi`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh`
			`new file mode 100644`
			`index 0000000000..0ec591b25b`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh`
			`@@ -0,0 +1,5 @@`
			`+#!/bin/bash`
			`+# Ensure test system has proper directories/files for test scenario`
			`+bash -x setup.sh`
			`+`
			`+echo "overflow_action = halt" >> /etc/audit/auditd.conf`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh`
			`new file mode 100644`
			`index 0000000000..236ad543fe`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh`
			`@@ -0,0 +1,5 @@`
			`+#!/bin/bash`
			`+# Ensure test system has proper directories/files for test scenario`
			`+bash -x setup.sh`
			`+`
			`+echo "overflow_action = ignore" >> /etc/audit/auditd.conf`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh`
			`new file mode 100644`
			`index 0000000000..74efdcafee`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh`
			`@@ -0,0 +1,5 @@`
			`+#!/bin/bash`
			`+# Ensure test system has proper directories/files for test scenario`
			`+bash -x setup.sh`
			`+config_file=/etc/audit/auditd.conf`
			`+sed -i "s/^.overflow_action.$//" $config_file`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh`
			`new file mode 100644`
			`index 0000000000..de11126320`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh`
			`@@ -0,0 +1,9 @@`
			`+#!/bin/bash`
			`+# Use this script to ensure the audit directory structure and audit conf file`
			`+# exist in the test env.`
			`+config_file=/etc/audit/auditd.conf`
			`+`
			`+# Ensure directory structure exists (useful for container based testing)`
			`+test -d /etc/audit/ \|\| mkdir -p /etc/audit/`
			`+`
			`+test -f $config_file \|\| touch $config_file`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh`
			`new file mode 100644`
			`index 0000000000..f9fa7a935c`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh`
			`@@ -0,0 +1,5 @@`
			`+#!/bin/bash`
			`+# Ensure test system has proper directories/files for test scenario`
			`+bash -x setup.sh`
			`+`
			`+echo "overflow_action = single" >> /etc/audit/auditd.conf`
			`diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh`
			`new file mode 100644`
			`index 0000000000..1c625fb752`
			`--- /dev/null`
			`+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh`
			`@@ -0,0 +1,5 @@`
			`+#!/bin/bash`
			`+# Ensure test system has proper directories/files for test scenario`
			`+bash -x setup.sh`
			`+`
			`+echo "overflow_action = syslog" >> /etc/audit/auditd.conf`
			`diff --git a/products/rhel8/profiles/stig.profile b/products/rhel8/profiles/stig.profile`
			`index 6372d13cfc..5cac78e00d 100644`
			`--- a/products/rhel8/profiles/stig.profile`
			`+++ b/products/rhel8/profiles/stig.profile`
			`@@ -826,6 +826,7 @@ selections:`
			`- rsyslog_remote_loghost`

			`# RHEL-08-030700`
			`+ - auditd_overflow_action`

			`# RHEL-08-030710`

			`diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt`
			`index 24e8149168..b3d9596e1f 100644`
			`--- a/shared/references/cce-redhat-avail.txt`
			`+++ b/shared/references/cce-redhat-avail.txt`
			`@@ -27,7 +27,6 @@ CCE-85885-2`
			`CCE-85886-0`
			`CCE-85887-8`
			`CCE-85888-6`
			`-CCE-85889-4`
			`CCE-85890-2`
			`CCE-85891-0`
			`CCE-85892-8`
			`diff --git a/tests/data/profile_stability/rhel8/stig.profile b/tests/data/profile_stability/rhel8/stig.profile`
			`index 32f1a24a7a..c9d23ed1dc 100644`
			`--- a/tests/data/profile_stability/rhel8/stig.profile`
			`+++ b/tests/data/profile_stability/rhel8/stig.profile`
			`@@ -73,6 +73,7 @@ selections:`
			`- auditd_local_events`
			`- auditd_log_format`
			`- auditd_name_format`
			`+- auditd_overflow_action`
			`- banner_etc_issue`
			`- bios_enable_execution_restrictions`
			`- chronyd_client_only`
			`diff --git a/tests/data/profile_stability/rhel8/stig_gui.profile b/tests/data/profile_stability/rhel8/stig_gui.profile`
			`index d6a27c67dc..7303145141 100644`
			`--- a/tests/data/profile_stability/rhel8/stig_gui.profile`
			`+++ b/tests/data/profile_stability/rhel8/stig_gui.profile`
			`@@ -84,6 +84,7 @@ selections:`
			`- auditd_local_events`
			`- auditd_log_format`
			`- auditd_name_format`
			`+- auditd_overflow_action`
			`- banner_etc_issue`
			`- bios_enable_execution_restrictions`
			`- chronyd_client_only`