{"description": "The audit system writes data to <tt>/var/log/audit/audit.log</tt>. By default,\n<tt>auditd</tt> rotates 5 logs by size (6MB), retaining a maximum of 30MB of\ndata in total, and refuses to write entries when the disk is too\nfull. This minimizes the risk of audit data filling its partition\nand impacting other services. This also minimizes the risk of the audit\ndaemon temporarily disabling the system if it cannot write audit log (which\nit can be configured to do).\n\nFor a busy\nsystem or a system which is thoroughly auditing system activity, the default settings\nfor data retention may be\n insufficient. The log file size needed will depend heavily on what types\nof events are being audited. First configure auditing to log all the events of\ninterest. Then monitor the log size manually for awhile to determine what file\nsize will allow you to keep the required data for the correct time period.\n<br /><br />\nUsing a dedicated partition for <tt>/var/log/audit</tt> prevents the\n<tt>auditd</tt> logs from disrupting system functionality if they fill, and,\nmore importantly, prevents other activity in <tt>/var</tt> from filling the\npartition and stopping the audit trail. (The audit logs are size-limited and\ntherefore unlikely to grow without bound unless configured to do so.) Some\nmachines may have requirements that no actions occur which cannot be audited.\nIf this is the case, then <tt>auditd</tt> can be configured to halt the machine\nif it runs out of space. <b>Note:</b> Since older logs are rotated,\nconfiguring <tt>auditd</tt> this way does not prevent older logs from being\nrotated away before they can be viewed.\n\n<i>If your system is configured to halt when logging cannot be performed, make\nsure this can never happen under normal circumstances! Ensure that\n<tt>/var/log/audit</tt> is on its own partition, and that this partition is\nlarger than the maximum amount of data <tt>auditd</tt> will retain\nnormally.</i>", "warnings": [], "requires": [], "conflicts": [], "values": ["var_audispd_disk_full_action", "var_audispd_network_failure_action", "var_audispd_remote_server", "var_auditd_action_mail_acct", "var_auditd_admin_space_left_action", "var_auditd_admin_space_left_percentage", "var_auditd_disk_error_action", "var_auditd_disk_full_action", "var_auditd_flush", "var_auditd_freq", "var_auditd_max_log_file", "var_auditd_max_log_file_action", "var_auditd_name_format", "var_auditd_num_logs", "var_auditd_space_left", "var_auditd_space_left_action", "var_auditd_space_left_percentage"], "groups": {}, "rules": ["auditd_audispd_configure_remote_server", "auditd_audispd_configure_sufficiently_large_partition", "auditd_audispd_disk_full_action", "auditd_audispd_encrypt_sent_records", "auditd_audispd_network_failure_action", "auditd_audispd_remote_daemon_activated", "auditd_audispd_remote_daemon_direction", "auditd_audispd_remote_daemon_path", "auditd_audispd_remote_daemon_type", "auditd_audispd_syslog_plugin_activated", "auditd_data_disk_error_action", "auditd_data_disk_error_action_stig", "auditd_data_disk_full_action", "auditd_data_disk_full_action_stig", "auditd_data_retention_action_mail_acct", "auditd_data_retention_admin_space_left_action", "auditd_data_retention_admin_space_left_percentage", "auditd_data_retention_flush", "auditd_data_retention_max_log_file", "auditd_data_retention_max_log_file_action", "auditd_data_retention_max_log_file_action_stig", "auditd_data_retention_num_logs", "auditd_data_retention_space_left", "auditd_data_retention_space_left_action", "auditd_data_retention_space_left_percentage", "auditd_freq", "auditd_local_events", "auditd_log_format", "auditd_name_format", "auditd_offload_logs", "auditd_overflow_action", "auditd_write_logs"], "platform": "package[audit]", "platforms": ["package[audit]"], "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_audit"], "title": "Configure auditd Data Retention", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/group.yml"}