Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to send email to an account when it needs to notify an administrator:
action_mail_acct = root
If auditd is not configured to send emails per identified actions, this is a finding.
Fix Text (F-19536r377187_fix)
The "auditd" service can be configured to send email to a designated account in certain situations. Add or correct the following line in "/etc/audit/auditd.conf" to ensure that administrators are notified via email for those situations: