Configure auditd Number of Logs Retained
An XCCDF Rule
Description
Determine how many log files
auditd
should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf
. Add or modify the following
line, substituting NUMLOGS with the correct value of
num_logs = NUMLOGSSet the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.
Rationale
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
- ID
- xccdf_org.ssgproject.content_rule_auditd_data_retention_num_logs
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83688-2
- CJIS-5.4.1.1
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_auditd_num_logs='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_auditd_num_logs" use="legacy"/>'
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec:
config:
ignition: