RHEL 9 must use a separate file system for the system audit data path.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-257847 | RHEL-09-231030 | SV-257847r1044924_rule | CCI-001849 | low |
| Description | ||||
| Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing cannot be halted due to the partition running out of space. Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227 | ||||
| STIG | Date | |||
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2025-05-14 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AU-4
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001849
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-257847r1044924_chk)
Verify that a separate file system/partition has been created for the system audit data path with the following command:
Note: /var/log/audit is used as the example as it is a common location.
$ mount | grep /var/log/audit
/dev/mapper/rootvg-varlogaudit on /var/log/audit type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota)
Note: Options displayed for mount may differ.
If no line is returned, this is a finding.
Fix Text (F-61512r925527_fix)
Migrate the system audit data path onto a separate file system.