{"description": "To configure Audit daemon to write Audit logs to the disk, set\n<tt>write_logs</tt> to <tt>yes</tt> in <tt>/etc/audit/auditd.conf</tt>.\nThis is the default setting.", "rationale": "If <tt>write_logs</tt> isn't set to <tt>yes</tt>, the Audit logs will\nnot be written to the disk.", "severity": "medium", "references": {"nist": ["CM-6"], "srg": ["SRG-OS-000480-GPOS-00227"], "ism": ["0582"]}, "control_references": {"ism": ["0582"]}, "components": [], "identifiers": {}, "ocil_clause": "write_logs isn't set to yes", "ocil": "To verify that Audit Daemon is configured to write logs to the disk, run the\nfollowing command:\n<pre>$ sudo grep write_logs /etc/audit/auditd.conf</pre>\nThe output should return the following:\n<pre>write_logs = yes</pre>", "oval_external_content": null, "fixtext": "Edit the file \"/etc/audit/auditd.conf\" and add or edit the following line:\nwrite_logs = yes", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must write audit logs to disk.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must write audit records to disk.", "vuldiscussion": "Audit data should be synchronously written to disk to ensure log integrity. This setting assures that all audit event data is written disk.", "checktext": "Verify that the audit system is configured to write logs to the disk with the following command:\n\n$ sudo grep write_logs /etc/audit/auditd.conf\n\nwrite_logs = yes\n\nIf \"write_logs\" does not have a value of \"yes\", the line is commented out, or the line is missing, this is a finding.", "fixtext": "Configure the audit system to write log files to the disk.\n\nEdit the /etc/audit/auditd.conf file and add or update the \"write_logs\" option to \"yes\":\n\nwrite_logs = yes\n\nThe audit daemon must be restarted for changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Write Audit Logs to the Disk", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_write_logs/rule.yml", "template": {"name": "auditd_lineinfile", "vars": {"missing_parameter_pass": "true", "parameter": "write_logs", "rule_id": "auditd_write_logs", "value": "yes"}, "backends": {}}}