5.3.1.3 Keep All Auditing Information

Information

Normally, auditd will hold 4 logs of maximum log file size before deleting older log files.

Rationale:

In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.

Solution

Add the following line to the /etc/audit/auditd.conf file.

max_log_file_action = keep_logs

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv7|6.4

Plugin: Unix

Control ID: b0ab711caf27e0b851cba1400294cae207ac1d90d6f1f0124a0c4996e2876cae