4.1.1.3 Ensure audit logs are not automatically deleted

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The max_log_file_action setting determines how to handle the audit log file reaching the max file size. A value of keep_logs will rotate the logs but never delete old logs. In high security contexts, the benefits of maintaining a long audit history exceed the cost of storing the audit history.

Solution

Set the following parameter in /etc/audit/auditd.conf: max_log_file_action = keep_logs

See Also

https://workbench.cisecurity.org/files/1864