The system must rotate audit log files that reach the maximum file size.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-38634	RHEL-06-000161	SV-50435r1_rule		Medium

Description
Automatically rotating logs (by setting this to "rotate") minimizes the chances of the system unexpectedly running out of disk space by being overwhelmed with log data. However, for systems that must never discard log data, or which use external processes to transfer it and reclaim space, "keep_logs" can be employed.

STIG	Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide	2014-06-10

Details

Check Text ( None )
None

Fix Text (F-43583r1_fix)
The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf": max_log_file_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "suspend" "rotate" "keep_logs" Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.

Fix Text (F-43583r1_fix)

The default action to take when the logs reach their maximum size is to rotate the log files, discarding the oldest one. To configure the action taken by "auditd", add or correct the line in "/etc/audit/auditd.conf":

max_log_file_action = [ACTION]

Possible values for [ACTION] are described in the "auditd.conf" man page. These include:

"ignore"
"syslog"
"suspend"
"rotate"
"keep_logs"

Set the "[ACTION]" to "rotate" to ensure log rotation occurs. This is the default. The setting is case-insensitive.