1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
documentation_complete: true
title: 'Set number of records to cause an explicit flush to audit logs'
description: |-
To configure Audit daemon to issue an explicit flush to disk command
after writing {{{ xccdf_value("var_auditd_freq") }}} records, set <tt>freq</tt> to <tt>{{{ xccdf_value("var_auditd_freq") }}}</tt>
in <tt>/etc/audit/auditd.conf</tt>.
rationale: |-
If option <tt>freq</tt> isn't set to <tt>{{{ xccdf_value("var_auditd_freq") }}}</tt>, the flush to disk
may happen after higher number of records, increasing the danger
of audit loss.
severity: medium
identifiers:
cce@rhcos4: CCE-82512-5
cce@rhel8: CCE-82258-5
cce@rhel9: CCE-83704-7
cce@rhel10: CCE-87482-6
references:
disa: CCI-000154
nist: CM-6
ospp: FAU_GEN.1
srg: SRG-OS-000051-GPOS-00024
ocil_clause: freq isn't set to {{{ xccdf_value("var_auditd_freq") }}}
ocil: |-
To verify that Audit Daemon is configured to flush to disk after
every {{{ xccdf_value("var_auditd_freq") }}} records, run the following command:
<pre>$ sudo grep freq /etc/audit/auditd.conf</pre>
The output should return the following:
<pre>freq = {{{ xccdf_value("var_auditd_freq") }}}</pre>
fixtext: |-
{{{ fixtext_audit_configuration(param="freq", value=xccdf_value("var_auditd_freq")) | indent(4) }}}
srg_requirement: |-
{{{ full_name }}} must periodically flush audit records to disk to ensure that audit records are not lost.
template:
name: auditd_lineinfile
vars:
missing_parameter_pass: 'false'
parameter: freq
rule_id: auditd_freq
value: '50'
|
