TOSS 5 must periodically flush audit records to disk to prevent the loss of audit records.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282430TOSS-05-000403SV-282430r1200270_ruleCCI-000154medium
Description
If option "freq" is not set to a value that requires audit records being written to disk after a threshold number is reached, then audit records may be lost.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282430r1200270_chk)

Verify the audit system is configured to flush to disk after every 100 records using the following command: $ sudo grep freq /etc/audit/auditd.conf freq = 100 If "freq" isn't set to a value between "1" and "100", the value is missing, or the line is commented out, this is a finding.

Fix Text (F-86896r1200269_fix)

Configure TOSS 5 to flush audit to disk by adding or updating the following rule in "/etc/audit/auditd.conf": freq = 100 Restart the audit daemon for the changes to take effect.