Skip to content

Implements "audit system must make full use of the audit storage space" finding-handler for Alma Linux 9 #620

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ferricoxide merged 4 commits into from
Jan 20, 2026
Merged

Implements "audit system must make full use of the audit storage space" finding-handler for Alma Linux 9 #620

ferricoxide merged 4 commits into from
Jan 20, 2026
+77 −0

Conversation

@ferricoxide
Copy link
Member

@ferricoxide ferricoxide commented Jan 20, 2026

Closes #553

Value already correctly set:

Appears that, since the scans were performed that resulted in Issue 553, Alma LInux 9 now defaults to having the prescribed value set. On a freshly launched Alma Linux 9 instance (built from a January-created AMI), launch-time output looks like:

----------
          ID: ALMA-09-054360-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-054360
                  The OS must audit system must make
                  full use of the audit storage space
              ----------------------------------------
     Started: 14:08:59.149122
    Duration: 0.677 ms
     Changes:
----------
          ID: Make full use of the audit storage space (ALMA-09-054360)
    Function: file.replace
        Name: /etc/audit/auditd.conf
      Result: True
     Comment: No changes needed to be made
     Started: 14:08:59.149931
    Duration: 3.835 ms
     Changes:
----------

Value Corrected by state:

As a test, hand-altered the file to set an invalid value, then ran the hardening-logic:

----------
          ID: ALMA-09-054360-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-054360
                  The OS must audit system must make
                  full use of the audit storage space
              ----------------------------------------
     Started: 14:25:57.386377
    Duration: 0.945 ms
     Changes:
----------
          ID: Make full use of the audit storage space (ALMA-09-054360)
    Function: file.replace
        Name: /etc/audit/auditd.conf
      Result: True
     Comment: Changes were made
     Started: 14:25:57.389086
    Duration: 22.313 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -9,7 +9,7 @@
                   log_format = ENRICHED
                   flush = INCREMENTAL_ASYNC
                   freq = 50
                  -max_log_file = 7
                  +max_log_file = 8
                   num_logs = 5
                   priority_boost = 4
                   ##name = mydomain

Summary for local
------------

No Previous Value Set:

----------
          ID: ALMA-09-054360-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-054360
                  The OS must audit system must make
                  full use of the audit storage space
              ----------------------------------------
     Started: 15:08:32.346797
    Duration: 0.718 ms
     Changes:
----------
          ID: Make full use of the audit storage space (ALMA-09-054360)
    Function: file.replace
        Name: /etc/audit/auditd.conf
      Result: True
     Comment: Changes were made
     Started: 15:08:32.350614
    Duration: 19.982 ms
     Changes:
              ----------
              diff:
                  ---
                  +++
                  @@ -38,3 +38,4 @@
                   plugin_dir = /etc/audit/plugins.d
                   end_of_event_timeout = 2
                   name_format = hostname
                  +# Set per rule ALMA-09-054360
                  max_log_file = 8
------------

Invalid Distro:

Output similar to the following will show on RHEL/Rocky/CentOS Stream 9 and OEL 9 (Rocky Linux 9 output shown):

----------
          ID: ALMA-09-054360-description
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-054360
                  The OS must audit system must make
                  full use of the audit storage space
              ----------------------------------------
     Started: 14:38:03.664193
    Duration: 0.489 ms
     Changes:
----------
          ID: Skip Reason (ALMA-09-054360)
    Function: test.show_notification
      Result: True
     Comment: ----------------------------------------
              STIG Finding ID: ALMA-09-054360
                   Not valid for distro 'Rocky'
              ----------------------------------------
     Started: 14:38:03.664826
    Duration: 0.49 ms
     Changes:
----------

@ferricoxide ferricoxide changed the title Feature/issue 553 Implements "audit system must make full use of the audit storage space" finding-handler for Alma Linux 9 Jan 20, 2026
@ferricoxide ferricoxide requested a review from a team January 20, 2026 16:14
@ferricoxide ferricoxide merged commit a4ca449 into plus3it:master Jan 20, 2026
10 checks passed
@ferricoxide ferricoxide deleted the Feature/Issue_553 branch January 20, 2026 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lorengordon lorengordon lorengordon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature Request] Compliance Setting: "OS audit system must make full use of the audit storage space"

2 participants

@ferricoxide @lorengordon