Check: RHEL-09-653095
RHEL 9 STIG:
RHEL-09-653095
(in versions v1 r3 through v1 r2)
Title
RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records. (Cat II impact)
Discussion
If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.
Check Content
Verify that audit system is configured to flush to disk after every 100 records with the following command: $ sudo grep freq /etc/audit/auditd.conf freq = 100 If "freq" isn't set to a value between "1" and "100", the value is missing, or the line is commented out, this is a finding.
Fix Text
Configure RHEL 9 to flush audit to disk by adding or updating the following rule in "/etc/audit/auditd.conf": freq = 100 The audit daemon must be restarted for the changes to take effect.
Additional Identifiers
Rule ID: SV-258168r943024_rule
Vulnerability ID: V-258168
Group Title: SRG-OS-000051-GPOS-00024
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000154 |
The information system provides the capability to centrally review and analyze audit records from multiple components within the system. |
Controls
| Number | Title |
|---|---|
| AU-6 (4) |
Central Review And Analysis |