RHEL 9 must use a separate file system for the system audit data path.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-257847 | RHEL-09-231030 | SV-257847r1044924_rule | Low |
| Description |
| Placing "/var/log/audit" in its own partition enables better separation between audit files and other system files, and helps ensure that auditing cannot be halted due to the partition running out of space. Satisfies: SRG-OS-000341-GPOS-00132, SRG-OS-000480-GPOS-00227 |
| STIG | Date |
| Red Hat Enterprise Linux 9 Security Technical Implementation Guide | 2024-12-04 |
Details
| Check Text (C-61588r1044923_chk) |
| Verify that a separate file system/partition has been created for the system audit data path with the following command: Note: /var/log/audit is used as the example as it is a common location. $ mount | grep /var/log/audit /dev/mapper/rootvg-varlogaudit on /var/log/audit type xfs (rw,relatime,seclabel,attr2,inode64,logbufs=8,logbsize=32k,noquota) Note: Options displayed for mount may differ. If no line is returned, this is a finding. |
| Fix Text (F-61512r925527_fix) |
| Migrate the system audit data path onto a separate file system. |