4.1.1.3 Ensure audit logs are not automatically deleted (Scored)

Level 2 - Server
Level 2 - Workstation 

The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs.

In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.

Run the following commands and verify output matches:

# grep max_log_file_action /etc/audit/auditd.conf 
max_log_file_action = keep_logs

Set the following parameter in /etc/audit/auditd.conf:

max_log_file_action = keep_logs
  • ubuntu1604/4/1/1/3.txt
  • Last modified: 2017/05/02 14:39
  • by Piotr Kłoczewski