UCF STIG Viewer Logo

The system must retain enough rotated audit logs to cover the required log retention period.


Overview

Finding ID Version Rule ID IA Controls Severity
V-38636 RHEL-06-000159 SV-50437r1_rule Medium
Description
The total storage for audit log files must be large enough to retain log information over the period required. This is a function of the maximum log file size and the number of logs retained.
STIG Date
Red Hat Enterprise Linux 6 Security Technical Implementation Guide 2015-05-26

Details

Check Text ( C-46195r1_chk )
Inspect "/etc/audit/auditd.conf" and locate the following line to determine how many logs the system is configured to retain after rotation: "# grep num_logs /etc/audit/auditd.conf"

num_logs = 5


If the overall system log file(s) retention hasn't been properly set up, this is a finding.
Fix Text (F-43585r1_fix)
Determine how many log files "auditd" should retain when it rotates logs. Edit the file "/etc/audit/auditd.conf". Add or modify the following line, substituting [NUMLOGS] with the correct value:

num_logs = [NUMLOGS]

Set the value to 5 for general-purpose systems. Note that values less than 2 result in no log rotation.