8.1.1.3 Keep All Auditing Information

Information

Normally, auditd will hold 4 logs of maximum log file size before deleting older log files.

*Rationale*

In high security contexts, the benefits of maintaining a long audit history exceed the cost of
storing the audit history.

Solution

Add the following line to the /etc/audit/auditd.conf file.max_log_file_action = keep_logs

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-5

Plugin: Unix

Control ID: d69a5f0ed887f4fe229227938f05674db4abc6986c81a44431809a77cbde0720