Syslog should be enabled by default. Appropriate logging levels should be set in /etc/syslog.conf. Permissions should be set such that “group” and “world” have no access at all to the syslog file. All relevant files should be owned by root, or by a secure admin group that is predefined in /etc/group. Communicate with the UNIX operations group to ensure that the hardened server’s syslog files are incorporated into its centralized server logging system.

copy the following files

# cp /usr/share/doc/audit-version /stig.rules /etc/audit/audit.rules

then edit it to reflect requirements from document. Leave buffers as per stig file but comment out failure mode