mediumauditverified ✓rollback-safe
Allocate audit record storage capacity for at least one week
auditd-log-storage-week · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
The audit system must be configured to allocate sufficient disk space to retain at least one week's worth of audit records.
Rationale
Insufficient audit log storage capacity means that audit records may be overwritten before they can be reviewed, potentially hiding evidence of security incidents. At least one week of audit data must be retained to support incident response.
Check → Remediate
Checkcommand
# The STIG verifies the partition holding the audit logs can store ~1 week
# of records (its guidance: typically >= 10 GB) via df on that partition —
# not a num_logs proxy, which is decoupled from partition capacity.
logfile=$(grep -iE '^[[:space:]]*log_file[[:space:]]*=' /etc/audit/auditd.conf 2>/dev/null \
| awk -F= '{gsub(/[[:space:]]/,"",$2); print $2}' | tail -1)
logdir=$(dirname "${logfile:-/var/log/audit/audit.log}")
# -P forces POSIX single-line output (a long device name would otherwise
# wrap df onto two lines and break the field extraction).
kb=$(df -kP "$logdir" 2>/dev/null | awk 'NR==2 {print $2}')
if [ -z "$kb" ]; then
echo "FAIL: could not determine the audit log partition capacity for $logdir"
exit 1
fi
# 10 GB = 10485760 KB is the STIG's stated TYPICAL sufficiency, not a
# mandatory minimum — required capacity is activity-dependent. So a
# partition >= 10 GB passes; a smaller one is flagged for manual review
# rather than failed (failing it would false-FAIL a compliant low-activity
# host with a documented smaller partition).
if [ "$kb" -ge 10485760 ]; then
echo "OK: audit log partition ($logdir) is $((kb / 1024 / 1024)) GB (>= 10 GB)"
exit 0
fi
echo "MANUAL REVIEW REQUIRED: audit log partition ($logdir) is only $((kb / 1024)) MB, below the STIG's ~10 GB guideline. Verify it can hold one week of audit records for this system's activity level, or document the smaller size as justified."
exit 0
- expected_exit:
- 0
Remediateconfig_set
- path:
- /etc/audit/auditd.conf
- key:
- num_logs
- value:
- 5
- separator:
- =
- restart:
- auditd
Framework references
STIG
V-281106 / RHEL-10-500100V-258155 / RHEL-09-653030V-230476V-270816 / UBTU-24-900920V-260595 / UBTU-22-653035
NIST 800-53
AU-4
Live verification
rhel8:checkrhel9:checkubuntu22:checkubuntu24:check
#audit#auditd#storage#capacity#manual