AlmaLinux OS 9 audit system must make full use of the audit storage space.

STIG ID: ALMA-09-054360  |  SRG: SRG-OS-000047-GPOS-00023 |  Severity: medium |  CCI: CCI-000140 |  Vulnerability Id: V-269528

Vulnerability Discussion

max_log_file (size in megabytes) multiplied by num_logs must make full use of the auditd storage volume (separate to the root partition).

If max_log_file_action is set to ROTATE or KEEP_LOGS then max_log_file must be set to a value that makes the most use of the storage available.

Check

Verify that AlmaLinux OS 9 is configured to make full use of the auditd storage volume when rotation is enabled, with the following command:

$ grep max_log_file /etc/audit/auditd.conf

max_log_file = 8

If the value of the "max_log_file" option is not sufficiently large to maximize the use of the storage volume, is commented out, or is missing, this is a finding.

Fix

Configure AlmaLinux OS 9 to make full use of the auditd storage volume with rotation enabled.

Add or update the following line in the "/etc/audit/auditd.conf" file to a value large enough to make efficient use of the auditd storage volume:

max_log_file = 100
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.