Profile Applicability:
Level 2
Description:
The max_log_file parameter in the audit daemon’s configuration file controls the maximum size of the audit log file before it is rotated. Ensuring this value is set helps prevent the audit logs from consuming excessive disk space and ensures older logs are managed properly.
Rationale:
Setting a reasonable maximum audit log file size ensures that the logs are managed effectively. This prevents the system from running out of disk space due to uncontrolled audit log growth, which could otherwise disrupt normal operations or prevent critical logs from being recorded.
Impact:
Pros:
Ensures proper disk usage by managing log file size
Supports effective log rotation and retention
Improves stability by preventing full disk issues
Cons:
Improper sizing may rotate logs too quickly or allow excessive growth
Default Value:
On many systems, the default value is 6 MB, which may be insufficient for high-volume environments.
Pre-requisites:
auditdmust be installedRoot or
sudoaccess is required
Test Plan:
Using Linux Command Line:
Check the current max log file size setting:
grep max_log_file /etc/audit/auditd.conf
Implementation Plan:
Using Linux Command Line:
Reopen the configuration file:
vi /etc/audit/auditd.conf
Locate or add the following line to configure log size (example for 20 MB):
max_log_file = 20
Save and exit the file.
Restart the auditd service to apply the changes:
systemctl restart auditd
Backout Plan:
Using Linux Command Line:
Open the configuration file:
vi /etc/audit/auditd.conf
Revert
max_log_fileto its original value or remove the line if it was added.Restart the auditd service:
systemctl restart auditd
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Configuration Documentation
NIST SP 800-53 Revision 5 - AU-11