The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
low	V-258844	SRG-OS-000341-GPOS-00132	PHTN-40-000110	SV-258844r958752_rule	2024-07-11	2

Description
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation and setting a reasonable number of logs to keep. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.

ℹ️ Check
At the command line, run the following command to verify auditd is configured to keep a number of audit logs in the event of a central log processing failure: # grep -E "^num_logs\|^max_log_file_action" /etc/audit/auditd.conf Example result: num_logs = 5 max_log_file_action = ROTATE If "num_logs" is not configured to "5" or greater, this is a finding. If "max_log_file_action" is not configured to "ROTATE", this is a finding.

ℹ️ Check

At the command line, run the following command to verify auditd is configured to keep a number of audit logs in the event of a central log processing failure: # grep -E "^num_logs|^max_log_file_action" /etc/audit/auditd.conf Example result: num_logs = 5 max_log_file_action = ROTATE If "num_logs" is not configured to "5" or greater, this is a finding. If "max_log_file_action" is not configured to "ROTATE", this is a finding.

✔️ Fix
Navigate to and open: /etc/audit/auditd.conf Ensure the following lines are present, not duplicated, and not commented: num_logs = 5 max_log_file_action = ROTATE At the command line, run the following command: # pkill -SIGHUP auditd