TOSS 5 must label all offloaded audit logs before sending them to the central log server.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282425TOSS-05-000396SV-282425r1201625_ruleCCI-000132medium
Description
Enriched logging is needed to determine who, what, and when events occur on a system. Without this, determining root cause of an event will be much more difficult. When audit logs are not labeled before they are sent to a central log server, the audit data will not be able to be analyzed and tied back to the correct system.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282425r1201625_chk)

Verify that TOSS 5 Audit Daemon is configured to label all offloaded audit logs, with the following command: $ sudo grep name_format /etc/audit/auditd.conf name_format = hostname If the "name_format" option is not "hostname", "fqd", or "numeric", or the line is commented out, this is a finding.

Fix Text (F-86891r1201624_fix)

Edit the /etc/audit/auditd.conf file and add or update the "name_format" option: name_format = hostname Restart the audit daemon for changes to take effect.