OL 9 must periodically flush audit records to disk to prevent the loss of audit records.

STIG ID: OL09-00-000775  |  SRG: SRG-OS-000051-GPOS-00024 |  Severity: medium |  CCI: CCI-000154 |  Vulnerability Id: V-271582

Vulnerability Discussion

If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.

Check

Verify that OL 9 is configured to flush audit records to disk after every 100 records with the following command:

$ sudo grep freq /etc/audit/auditd.conf
freq = 100

If "freq" isn't set to a value of "100" or greater, the value is missing, or the line is commented out, this is a finding.

Fix

Configure OL 9 to flush audit to disk by adding or updating the following configuration in "/etc/audit/auditd.conf":

freq = 100

The audit daemon must be restarted for the changes to take effect.

Restart auditd:
$ sudo service auditd restart
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.