mediumauditverified ✓rollback-safe
Configure auditd max_log_file_action
auditd-max-log-file-action · RHEL ≥ 8 · 1 impl
Description
The auditd max_log_file_action must be configured to rotate logs when they reach maximum size. This ensures audit logs are preserved and not automatically deleted.
Rationale
When audit logs reach their maximum size, the configured action determines how auditd responds. Setting this to 'keep_logs' or 'rotate' ensures logs are preserved for forensic analysis rather than being deleted.
Check → Remediate
Checkconfig_value
- path:
- /etc/audit/auditd.conf
- key:
- max_log_file_action
- expected:
- keep_logs
Remediateconfig_set
- path:
- /etc/audit/auditd.conf
- key:
- max_log_file_action
- value:
- keep_logs
- separator:
- =
- restart:
- auditd
Framework references
CIS
rhel9 6.3.2.2rhel10 6.3.2.2rhel8 6.3.2.2
STIG
V-258160 / RHEL-09-653055
NIST 800-53
AU-4AU-9
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#logging#rotation#configuration