Configure auditd flush priority
An XCCDF Rule
Description
The auditd
service can be configured to
synchronously write audit event data to disk. Add or correct the following
line in /etc/audit/auditd.conf
to ensure that audit event data is
fully synchronized with the log files on the disk:
flush =
Rationale
Audit data should be synchronously written to disk to ensure log integrity. These parameters assure that all audit event data is fully synchronized with the log files on the disk.
- ID
- xccdf_org.ssgproject.content_rule_auditd_data_retention_flush
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_auditd_flush='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_auditd_flush" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-171-3.3.1
- NIST-800-53-AU-11