TOSS 5 must write audit records to disk.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-282752TOSS-05-000405SV-282752r1201236_ruleCCI-000366medium
Description
Audit data should be synchronously written to disk to ensure log integrity. This setting ensures all audit event data is written to disk.
STIGDate
Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide2026-04-01

Details

Check Text (C-282752r1201236_chk)

If the system is configured to immediately offload audit records to an external system, this requirement is not applicable. Verify the audit system is configured to write logs to the disk using the following command: $ sudo grep write_logs /etc/audit/auditd.conf write_logs = yes If "write_logs" does not have a value of "yes", the line is commented out, or the line is missing, this is a finding.

Fix Text (F-87218r1201235_fix)

Configure the audit system to write log files to the disk. Edit the "/etc/audit/auditd.conf" file and add or update the "write_logs" option to "yes": write_logs = yes Restart the audit daemon for changes to take effect.