4.1.2.2 Ensure audit logs are not automatically deleted

Information

The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.

Rationale:

In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.

Solution

Set the following parameter in /etc/audit/auditd.conf:

max_log_file_action = keep_logs

See Also

https://workbench.cisecurity.org/files/3144

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-4, 800-53|AU-12, CSCv6|6.3, CSCv7|6.2, CSCv7|6.4

Plugin: Unix

Control ID: 4c97369b771b8c5b37d81e34d2e40a226550097c21b32928160be3b3ed3a405c