Profile Applicability:

Level 2

Description:

The max_log_file_action parameter in the audit daemon’s configuration determines what action to take when the log file size defined by max_log_file is reached. Setting this parameter to keep_logs ensures that audit logs are never automatically deleted and are preserved for review and forensic analysis.

Rationale:

Preserving audit logs is critical for investigating suspicious activity, understanding historical events, and meeting regulatory compliance. Automatically deleting logs can result in the loss of valuable information and reduce visibility into system activity.

Impact:

Pros:
Preserves important audit records for investigations and compliance
Avoids accidental or automatic data loss
Supports long-term retention policies

Cons:
Requires adequate disk space to store logs
May require manual cleanup or archiving strategy

Default Value:

On many systems, max_log_file_action may be set to ROTATE, which may overwrite older logs.

Pre-requisites:

  • auditd must be installed

  • Root or sudo access is required

Test Plan:

Using Linux Command Line:

  1. Check the current value for log file action:

    grep max_log_file_action /etc/audit/auditd.conf

Implementation Plan:

Using Linux Command Line:

  1. Open the configuration file:

    vi /etc/audit/auditd.conf

  2. Locate or add the following line to ensure logs are not deleted:

    max_log_file_action = keep_logs

  3. Save and exit the file.

  4. Restart the auditd service to apply the changes:

    systemctl restart auditd

Backout Plan:

Using Linux Command Line:

  1. Reopen the configuration file:

    vi /etc/audit/auditd.conf

  2. Revert the max_log_file_action value to its previous setting, such as rotate or suspend.

  3. Restart the auditd service:

    systemctl restart auditd

References:

CIS Amazon Linux 2 Benchmark v3.0.0
Auditd Configuration Documentation
NIST SP 800-53 Revision 5 - AU-4