4.1.2.1 Ensure audit log storage size is configured

Information

Configure the maximum size of the audit log file. Once the log reaches the maximum size, it will be rotated and a new log file will be started.

Notes:

-

The max_log_file parameter is measured in megabytes.

-

Other methods of log rotation may be appropriate based on site policy. One example is time-based rotation strategies which don't have native support in auditd configurations. Manual audit of custom configurations should be evaluated for effectiveness and completeness.

It is important that an appropriate size is determined for log files so that they do not impact the system and audit data is not lost.

Solution

Set the following parameter in /etc/audit/auditd.conf in accordance with site policy:

max_log_file = <MB>

See Also

https://workbench.cisecurity.org/files/3682

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-4, CSCv7|6.4

Plugin: Unix

Control ID: 30f86d0493c0cb273844198c31d8ff2ede0a1f6a0dfd7cf3f8788425e2d5114f