AlmaLinux OS 9 audit system must retain an optimal number of audit records.

STIG ID: ALMA-09-054580  |  SRG: SRG-OS-000047-GPOS-00023 |  Severity: medium |  CCI: CCI-000140 |  Vulnerability Id: V-269530

Vulnerability Discussion

max_log_file (size in megabytes) multiplied by num_logs must make full use of the auditd storage volume (separate to the root partition).

If max_log_file_action is set to ROTATE or KEEP_LOGS then num_logs must be set to a value between 2 and 99.

Check

Verify that AlmaLinux OS 9 is configured to make full use of the auditd storage volume when rotation is enabled, with the following command:

$ grep num_logs /etc/audit/auditd.conf

num_logs = 5

If the value of the "num_logs" option is not between 2 and 99, is commented out, or is missing, this is a finding.

Fix

Configure AlmaLinux OS 9 to make full use of the auditd storage volume with rotation enabled.

Add or update the following line ("num_logs" can be set to a number between 2 and 99) in the "/etc/audit/auditd.conf" file:

num_logs = 5
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.