Configure auditd max_log_file_action Upon Reaching Maximum Log Size
An XCCDF Rule
Description
The default action to take when the logs reach their maximum size
is to rotate the log files, discarding the oldest one. To configure the action taken
by auditd
, add or correct the line in /etc/audit/auditd.conf
:
max_log_file_action = ACTIONPossible values for ACTION are described in the
auditd.conf
man
page. These include:
ignore
syslog
suspend
rotate
keep_logs
ACTION
to rotate
to ensure log rotation
occurs. This is the default. The setting is case-insensitive.
Rationale
Automatically rotating logs (by setting this to rotate
)
minimizes the chances of the system unexpectedly running out of disk space by
being overwhelmed with log data. However, for systems that must never discard
log data, or which use external processes to transfer it and reclaim space,
keep_logs
can be employed.
- ID
- xccdf_org.ssgproject.content_rule_auditd_data_retention_max_log_file_action
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_auditd_max_log_file_action='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_auditd_max_log_file_action" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.4.1.1
- NIST-800-53-AU-5(1)