RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.

STIG ID: RHEL-09-653095  |  SRG: SRG-OS-000051-GPOS-00024 | Severity: medium |  CCI: CCI-000154

Vulnerability Discussion

If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.

Check

Verify that audit system is configured to flush to disk after every 100 records with the following command:

$ sudo grep freq /etc/audit/auditd.conf

freq = 100

If "freq" isn't set to a value between "1" and "100", the value is missing, or the line is commented out, this is a finding.

Fix

Configure RHEL 9 to flush audit to disk by adding or updating the following rule in "/etc/audit/auditd.conf":

freq = 100

The audit daemon must be restarted for the changes to take effect.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.