Profile Applicability:
 • Level 2

Description:
 The /var/log/audit directory stores audit logs generated by the Linux audit system. Mounting /var/log/audit on a separate partition isolates audit data from other filesystems, enhancing log security, integrity, and system stability.

Rationale:
 Having /var/log/audit on a separate partition prevents audit logs from filling up other partitions, which could disrupt system operations and security monitoring. It also facilitates applying specific mount options and simplifies backup and recovery of audit logs.

Impact:
 Pros:

  • Prevents disk space exhaustion on root or other critical filesystems due to audit log growth.

  • Enhances audit log integrity and security.

  • Simplifies backup and recovery of audit data.

Cons:

  • Requires additional partitioning and disk space allocation.

  • Misconfiguration could impact audit logging functionality.

Default Value:
 By default, /var/log/audit is typically part of the /var or root filesystem and not mounted separately.

Pre-requisites:

  • Root or sudo privileges to modify disk partitions and /etc/fstab.

  • Backup of audit data before repartitioning.

Remediation:

Test Plan:

Using Linux command line:

  1. Check current mount points for /var/log/audit:

     mount | grep /var/log/audit

  2. Verify if /var/log/audit is mounted on a separate partition:

     findmnt /var/log/audit

  3. Check /etc/fstab for /var/log/audit entry:

     grep /var/log/audit /etc/fstab
    Expected output: /var/log/audit should be listed as a separate mount point.

Implementation Plan:

Using Linux command line:

  1. Create a separate partition or logical volume for /var/log/audit.

  2. Format the new partition:

     mkfs.ext4 /dev/<partition>

  3. Backup current audit log data:

     cp -a /var/log/audit /var/log/audit_backup

  4. Mount new partition temporarily:

     mount /dev/<partition> /mnt

  5. Copy backup data back:

     cp -a /var/log/audit_backup/* /mnt/

Backout Plan:

Using Linux command line:

  1. Remove or comment out /var/log/audit entry in /etc/fstab.

  2. Unmount /var/log/audit:

     umount /var/log/audit

  3. Restore backup if necessary:

     cp -a /var/log/audit_backup/* /var/log/audit/

  4. Reboot or remount root filesystem.

References: