4.1.2.1 Ensure audit log storage size is configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.

Notes:

The max_log_file parameter is measured in megabytes.

Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.

Rationale:

It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.

Solution

Set the following parameter in /etc/audit/auditd.conf in accordance with site policy:

max_log_file = <MB>

See Also

https://workbench.cisecurity.org/files/2854

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv6|6.3, CSCv7|6.4

Plugin: Unix

Control ID: d59008f7292014cbb4d3cd1b4c106394fa6d95fb9e41a263cc3b73ce806f8238