The system must set a maximum audit log file size.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-217948 | RHEL-06-000160 | SV-217948r505923_rule | Medium |
| Description |
|---|
| The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 6 Security Technical Implementation Guide | 2020-09-03 |
Details
| Check Text ( C-19429r376859_chk ) |
|---|
| Inspect "/etc/audit/auditd.conf" and locate the following line to determine how much data the system will retain in each audit log file: "# grep max_log_file /etc/audit/auditd.conf" max_log_file = 6 If the system audit data threshold hasn't been properly set up, this is a finding. |
| Fix Text (F-19427r376860_fix) |
|---|
| Determine the amount of audit data (in megabytes) which should be retained in each log file. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting the correct value for [STOREMB]: max_log_file = [STOREMB] Set the value to "6" (MB) or higher for general-purpose systems. Larger values, of course, support retention of even more audit data. |