{"description": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby <tt>auditd</tt>, add or correct the line in <tt>/etc/audit/auditd.conf</tt>:\n<pre>max_log_file_action = <i>ACTION</i></pre>\nPossible values for <i>ACTION</i> are described in the <tt>auditd.conf</tt> man\npage. These include:\n<ul>\n<li><tt>ignore</tt></li>\n<li><tt>syslog</tt></li>\n<li><tt>suspend</tt></li>\n<li><tt>rotate</tt></li>\n<li><tt>keep_logs</tt></li>\n</ul>\nSet the <tt><i>ACTION</i></tt> to <tt>rotate</tt> to ensure log rotation\noccurs. This is the default. The setting is case-insensitive.", "rationale": "Automatically rotating logs (by setting this to <tt>rotate</tt>)\nminimizes the chances of the system unexpectedly running out of disk space by\nbeing overwhelmed with log data. However, for systems that must never discard\nlog data, or which use external processes to transfer it and reclaim space,\n<tt>keep_logs</tt> can be employed.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8"], "cobit5": ["APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI04.04", "BAI08.02", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.04", "DSS05.07", "MEA02.01"], "hipaa": ["164.312(a)(2)(ii)"], "isa-62443-2009": ["4.2.3.10", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1", "SR 7.1", "SR 7.2"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.17.2.1"], "nist": ["AU-5(b)", "AU-5(2)", "AU-5(1)", "AU-5(4)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "PR.DS-4", "PR.PT-1", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.7"], "srg": ["SRG-OS-000047-GPOS-00023", "SRG-APP-000098-CTR-000185", "SRG-APP-000099-CTR-000190", "SRG-APP-000100-CTR-000195", "SRG-APP-000100-CTR-000200", "SRG-APP-000109-CTR-000215", "SRG-APP-000290-CTR-000670", "SRG-APP-000357-CTR-000800"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the value of the \"max_log_file_action\" option is not \"ROTATE\", \"SINGLE\", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full. If there is no evidence of appropriate action", "ocil": "Verify Ubuntu 22.04 takes the appropriate action when the audit files have reached maximum size.\n\nCheck that Ubuntu 22.04 takes the appropriate action when the audit files have reached maximum size with the following command:\n\n<pre>$ sudo grep max_log_file_action /etc/audit/auditd.conf\n\nmax_log_file_action = <sub idref=\"var_auditd_max_log_file_action\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to rotate the audit log when it reaches maximum size.\n\nAdd or update the following line in \"/etc/audit/auditd.conf\" file:\n\nmax_log_file_action = <sub idref=\"var_auditd_max_log_file_action\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "The Ubuntu 22.04 audit system must take appropriate action when the audit files have reached maximum size.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "The Ubuntu 22.04 audit system must take appropriate action when the audit files have reached maximum size.", "vuldiscussion": "It is critical that when the operating system is at risk of failing to process audit logs as required, it takes action to mitigate the failure. Audit processing failures include: software/hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Responses to audit failure depend upon the nature of the failure mode.", "checktext": "Verify that Ubuntu 22.04 takes the appropriate action when the audit files have reached maximum size with the following command:\n\n$ sudo grep max_log_file_action /etc/audit/auditd.conf\n\nmax_log_file_action = ROTATE\n\nIf the value of the \"max_log_file_action\" option is not \"ROTATE\", \"SINGLE\", or the line is commented out, ask the system administrator to indicate how the system takes appropriate action when an audit storage volume is full.  If there is no evidence of appropriate action, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to rotate the audit log when it reaches maximum size.\n\nAdd or update the following line in \"/etc/audit/auditd.conf\" file:\n\nmax_log_file_action = ROTATE"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Configure auditd max_log_file_action Upon Reaching Maximum Log Size", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action_stig/rule.yml", "template": null}