The Photon operating system must ensure audit events are flushed to disk at proper intervals.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-258855 | PHTN-40-000186 | SV-258855r933626_rule | CCI-000366 | medium |
| Description | ||||
| Without the capability to generate audit records, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. To that end, the auditd service must be configured to start automatically and be running at all times. | ||||
| STIG | Date | |||
| VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide | 2023-10-29 | |||
Details
Check Text (C-258855r933626_chk)
At the command line, run the following command to verify auditd is configured to flush audit events to disk regularly:
# grep -E "freq|flush" /etc/audit/auditd.conf
Example result:
flush = INCREMENTAL_ASYNC
freq = 50
If "flush" is not set to "INCREMENTAL_ASYNC", this is a finding.
If "freq" is not set to "50", this is a finding.
Fix Text (F-62504r933625_fix)
Navigate to and open:
/etc/audit/auditd.conf
Add or update the following lines:
flush = INCREMENTAL_ASYNC
freq = 50
At the command line, run the following command:
# pkill -SIGHUP auditd