The system must retain enough rotated audit logs to cover the required log retention period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-217947 | RHEL-06-000159 | SV-217947r505923_rule | Medium |
| Description |
|---|
| The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2020-09-03 |
Details
| Check Text ( C-19428r376856_chk ) |
|---|
| Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf" num_logs = 5 If the overall system log file(s) retention hasn't been properly set up, this is a finding. |
| Fix Text (F-19426r376857_fix) |
|---|
| Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value: num_logs = [NUMLOGS] Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation. |