← Rules Catalog
mediumauditverified rollback-safe

Allocate audit record storage capacity for at least one week

auditd-log-storage-week · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

The audit system must be configured to allocate sufficient disk space to retain at least one week's worth of audit records.

Rationale

Insufficient audit log storage capacity means that audit records may be overwritten before they can be reviewed, potentially hiding evidence of security incidents. At least one week of audit data must be retained to support incident response.

Check → Remediate

Checkcommand
# The STIG verifies the partition holding the audit logs can store ~1 week
# of records (its guidance: typically >= 10 GB) via df on that partition —
# not a num_logs proxy, which is decoupled from partition capacity.
logfile=$(grep -iE '^[[:space:]]*log_file[[:space:]]*=' /etc/audit/auditd.conf 2>/dev/null \
            | awk -F= '{gsub(/[[:space:]]/,"",$2); print $2}' | tail -1)
logdir=$(dirname "${logfile:-/var/log/audit/audit.log}")
# -P forces POSIX single-line output (a long device name would otherwise
# wrap df onto two lines and break the field extraction).
kb=$(df -kP "$logdir" 2>/dev/null | awk 'NR==2 {print $2}')
if [ -z "$kb" ]; then
  echo "FAIL: could not determine the audit log partition capacity for $logdir"
  exit 1
fi
# 10 GB = 10485760 KB is the STIG's stated TYPICAL sufficiency, not a
# mandatory minimum — required capacity is activity-dependent. So a
# partition >= 10 GB passes; a smaller one is flagged for manual review
# rather than failed (failing it would false-FAIL a compliant low-activity
# host with a documented smaller partition).
if [ "$kb" -ge 10485760 ]; then
  echo "OK: audit log partition ($logdir) is $((kb / 1024 / 1024)) GB (>= 10 GB)"
  exit 0
fi
echo "MANUAL REVIEW REQUIRED: audit log partition ($logdir) is only $((kb / 1024)) MB, below the STIG's ~10 GB guideline. Verify it can hold one week of audit records for this system's activity level, or document the smaller size as justified."
exit 0
expected_exit:
0
Remediateconfig_set
path:
/etc/audit/auditd.conf
key:
num_logs
value:
5
separator:
=
restart:
auditd

Framework references

STIG

V-281106 / RHEL-10-500100V-258155 / RHEL-09-653030V-230476V-270816 / UBTU-24-900920V-260595 / UBTU-22-653035

NIST 800-53

AU-4

Live verification

rhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#auditd#storage#capacity#manual