RHEL 9 must periodically flush audit records to disk to prevent the loss of audit records.

STIG ID: RHEL-09-653095  |  SRG: SRG-OS-000051-GPOS-00024 |  Severity: medium |  CCI: CCI-000154 |  Vulnerability Id: V-258168

Vulnerability Discussion

If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.

Check

Verify that audit system is configured to flush to disk after every 100 records with the following command:

$ sudo grep freq /etc/audit/auditd.conf

freq = 100

If "freq" isn't set to a value between "1" and "100", the value is missing, or the line is commented out, this is a finding.

Fix

Configure RHEL 9 to flush audit to disk by adding or updating the following rule in "/etc/audit/auditd.conf":

freq = 100

The audit daemon must be restarted for the changes to take effect.