{"description": "The default action to take when the logs reach their maximum size\nis to rotate the log files, discarding the oldest one. To configure the action taken\nby <tt>auditd</tt>, add or correct the line in <tt>/etc/audit/auditd.conf</tt>:\n<pre>max_log_file_action = <i>ACTION</i></pre>\nPossible values for <i>ACTION</i> are described in the <tt>auditd.conf</tt> man\npage. These include:\n<ul>\n<li><tt>ignore</tt></li>\n<li><tt>syslog</tt></li>\n<li><tt>suspend</tt></li>\n<li><tt>rotate</tt></li>\n<li><tt>keep_logs</tt></li>\n</ul>\nSet the <tt><i>ACTION</i></tt> to <tt><sub idref=\"var_auditd_max_log_file_action\" /></tt>.\nThe setting is case-insensitive.", "rationale": "Automatically rotating logs (by setting this to <tt>rotate</tt>)\nminimizes the chances of the system unexpectedly running out of disk space by\nbeing overwhelmed with log data. However, for systems that must never discard\nlog data, or which use external processes to transfer it and reclaim space,\n<tt>keep_logs</tt> can be employed.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8"], "cjis": ["5.4.1.1"], "cobit5": ["APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI04.04", "BAI08.02", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS05.04", "DSS05.07", "MEA02.01"], "hipaa": ["164.312(a)(2)(ii)"], "isa-62443-2009": ["4.2.3.10", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1", "SR 7.1", "SR 7.2"], "iso27001-2013": ["A.12.1.3", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.17.2.1"], "nist": ["AU-5(b)", "AU-5(2)", "AU-5(1)", "AU-5(4)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "PR.DS-4", "PR.PT-1", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.7"], "srg": ["SRG-OS-000047-GPOS-00023"], "cis": ["6.3.2.2"]}, "control_references": {"cis": ["6.3.2.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the value of the \"max_log_file_action\" option is set to \"ignore\", \"rotate\", or \"suspend\", or the line is commented out", "ocil": "Verify that the SA and ISSO (at a minimum) are notified when the audit storage volume is full.\n\nCheck which action Ubuntu 22.04 takes when the audit storage volume is full with the following command:\n\n<pre>$ sudo grep max_log_file_action /etc/audit/auditd.conf\nmax_log_file_action = <sub idref=\"var_auditd_max_log_file_action\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to notify the SA and ISSO when the audit storage volume is full by configuring the \"max_log_file_action\" parameter in the \"/etc/audit/auditd.conf\" file with the a value of \"syslog\" or \"keep_logs\":\n\nmax_log_file_action = <sub idref=\"var_auditd_max_log_file_action\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure auditd max_log_file_action Upon Reaching Maximum Log Size", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_data_retention_max_log_file_action/rule.yml", "template": null}