RHEL 10 must label all off-loaded audit logs before sending them to the central log server.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-281105	RHEL-10-500045	SV-281105r1166267_rule	CCI-000132	medium
Description
Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system. Satisfies: SRG-OS-000039-GPOS-00017, SRG-OS-000342-GPOS-00133, SRG-OS-000479-GPOS-00224
STIG			Date
Red Hat Enterprise Linux 10 Security Technical Implementation Guide			2026-03-11

Related Frameworks

4 paths across 3 frameworks

NIST 800-531 mapping

AU-3

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent

NIST 800-1712 mappings

3.3.1

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

3.3.2

1.00

DISA · V1R1 · disa_xccdf · related
DISA · 2025-01-23 · disa_cci_list · equivalent
NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent

CCI1 mapping

CCI-000132

1.00

DISA · V1R1 · disa_xccdf · related

Details

Check Text (C-281105r1166267_chk)

Verify the RHEL 10 audit daemon is configured to label all off-loaded audit logs with the following command: $ sudo grep name_format /etc/audit/auditd.conf name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.

Fix Text (F-85571r1166266_fix)

Configure RHEL 10 so that all off-loaded audit logs are labeled before sending them to the central log server. Edit the "/etc/audit/auditd.conf" file and add or update the "name_format" option: name_format = hostname Restart the audit daemon with the following command for the changes to take effect: $ sudo service auditd restart