The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258844 | PHTN-40-000110 | SV-258844r933593_rule | CCI-001849 | low |
| Description | ||||
| Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation and setting a reasonable number of logs to keep. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide | 2023-10-29 | |||
Details
Check Text (C-258844r933593_chk)
At the command line, run the following command to verify auditd is configured to keep a number of audit logs in the event of a central log processing failure:
# grep -E "^num_logs|^max_log_file_action" /etc/audit/auditd.conf
Example result:
num_logs = 5
max_log_file_action = ROTATE
If "num_logs" is not configured to "5" or greater, this is a finding.
If "max_log_file_action" is not configured to "ROTATE", this is a finding.
Fix Text (F-62493r933592_fix)
Navigate to and open:
/etc/audit/auditd.conf
Ensure the following lines are present, not duplicated, and not commented:
num_logs = 5
max_log_file_action = ROTATE
At the command line, run the following command:
# pkill -SIGHUP auditd