← Rules Catalog
mediumauditverified rollback-safe

Configure auditd max_log_file_action

auditd-max-log-file-action · RHEL ≥ 8 · 1 impl

Description

The auditd max_log_file_action must be configured to rotate logs when they reach maximum size. This ensures audit logs are preserved and not automatically deleted.

Rationale

When audit logs reach their maximum size, the configured action determines how auditd responds. Setting this to 'keep_logs' or 'rotate' ensures logs are preserved for forensic analysis rather than being deleted.

Check → Remediate

Checkconfig_value
path:
/etc/audit/auditd.conf
key:
max_log_file_action
expected:
keep_logs
Remediateconfig_set
path:
/etc/audit/auditd.conf
key:
max_log_file_action
value:
keep_logs
separator:
=
restart:
auditd

Framework references

CIS

rhel9 6.3.2.2rhel10 6.3.2.2rhel8 6.3.2.2

STIG

V-258160 / RHEL-09-653055

NIST 800-53

AU-4AU-9

Live verification

rhel10:checkrhel8:checkrhel9:check
#audit#logging#rotation#configuration