Configure a Sufficiently Large Partition for Audit Logs
An XCCDF Rule
Description
The Red Hat Enterprise Linux 8 operating system must allocate audit record storage capacity to store at least one weeks worth of audit records when audit records are not immediately sent to a central audit record storage facility. The partition size needed to capture a week's worth of audit records is based on the activity level of the system and the total storage capacity available. In normal circumstances, 10.0 GB of storage space for audit records will be sufficient. Determine which partition the audit records are being written to with the following command:
$ sudo grep log_file /etc/audit/auditd.conf log_file = /var/log/audit/audit.logCheck the size of the partition that audit records are written to with the following command:
$ sudo df -h /var/log/audit/ /dev/sda2 24G 10.4G 13.6G 43% /var/log/audit
Rationale
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Off-loading is a common process in information systems with limited audit storage capacity.
- ID
- xccdf_org.ssgproject.content_rule_auditd_audispd_configure_sufficiently_large_partition
- Severity
- Medium
- References
- Updated