4.1.1.3 Ensure audit logs are not automatically deleted (Scored)
Profile Applicability
Level 2 - Server Level 2 - Workstation
Description
The max_log_file_action
setting determines how to handle the audit log file reaching the max file size. A value of keep_logs
will rotate the logs but never delete old logs.
Rationale
In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.
Audit
Run the following commands and verify output matches:
# grep max_log_file_action /etc/audit/auditd.conf max_log_file_action = keep_logs
Remediation
Set the following parameter in /etc/audit/auditd.conf
:
max_log_file_action = keep_logs