Skip to content

Set number of records to cause an explicit flush to audit logs

An XCCDF Rule

Description

To configure Audit daemon to issue an explicit flush to disk command after writing records, set freq to in /etc/audit/auditd.conf.

Rationale

If option freq isn't set to , the flush to disk may happen after higher number of records, increasing the danger of audit loss.

ID
xccdf_org.ssgproject.content_rule_auditd_freq
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then

if [ -e "/etc/audit/auditd.conf" ] ; then
    
    LC_ALL=C sed -i "/^\s*freq\s*=\s*/Id" "/etc/audit/auditd.conf"

Remediation - Ansible

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6
  - auditd_freq