Check: PHTN-67-000058
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000058
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must configure auditd to keep five rotated log files. (Cat II impact)
Discussion
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.
Check Content
At the command line, execute the following command: # grep "^max_log_file_action" /etc/audit/auditd.conf Expected result: max_log_file_action = IGNORE If the output of the command does not match the expected result, this is a finding.
Fix Text
Open /etc/audit/auditd.conf with a text editor. Add or change the "max_log_file_action" line as follows: max_log_file_action = IGNORE At the command line, execute the following command: # service auditd reload
Additional Identifiers
Rule ID: SV-239129r877391_rule
Vulnerability ID: V-239129
Group Title: SRG-OS-000341-GPOS-00132
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001849 |
The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements. |
Controls
Number | Title |
---|---|
AU-4 |
Audit Storage Capacity |