{"description": "To configure Audit daemon to issue an explicit flush to disk command\nafter writing <sub idref=\"var_auditd_freq\" /> records, set <tt>freq</tt> to <tt><sub idref=\"var_auditd_freq\" /></tt>\nin <tt>/etc/audit/auditd.conf</tt>.", "rationale": "If option <tt>freq</tt> isn't set to <tt><sub idref=\"var_auditd_freq\" /></tt>, the flush to disk\nmay happen after higher number of records, increasing the danger\nof audit loss.", "severity": "medium", "references": {"nist": ["CM-6"], "ospp": ["FAU_GEN.1"], "srg": ["SRG-OS-000051-GPOS-00024"], "ism": ["0582"]}, "control_references": {"ism": ["0582"]}, "components": [], "identifiers": {}, "ocil_clause": "freq isn't set to <sub idref=\"var_auditd_freq\" />", "ocil": "To verify that Audit Daemon is configured to flush to disk after\nevery <sub idref=\"var_auditd_freq\" /> records, run the following command:\n<pre>$ sudo grep freq /etc/audit/auditd.conf</pre>\nThe output should return the following:\n<pre>freq = <sub idref=\"var_auditd_freq\" /></pre>", "oval_external_content": null, "fixtext": "Edit the file \"/etc/audit/auditd.conf\" and add or edit the following line:\nfreq = <sub idref=\"var_auditd_freq\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must periodically flush audit records to disk to ensure that audit records are not lost.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must periodically flush audit records to disk to ensure that audit records are not lost.", "vuldiscussion": "If option \"freq\" isn't set to a value that requires audit records being written to disk after a threshold number is reached then audit records may be lost.", "checktext": "Verify that audit system is configured to flush to disk after every 50 records with the following command:\n\n$ sudo grep freq /etc/audit/auditd.conf\n\nfreq = 100\n\nIf \"freq\" isn't set to a value of \"100\" or greater, the value is missing, or the line is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to flush audit to disk by adding or updating the following rule in \"/etc/audit/rules.d/audit.rules\":\n\nfreq = 100\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set number of records to cause an explicit flush to audit logs", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_freq/rule.yml", "template": {"name": "auditd_lineinfile", "vars": {"missing_parameter_pass": "false", "parameter": "freq", "rule_id": "auditd_freq", "xccdf_variable": "var_auditd_freq", "variable_datatype": "int", "test_correct_value": 50, "test_wrong_value": 1}, "backends": {}}}