File: group.yml

package info (click to toggle)
scap-security-guide 0.1.78-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 114,600 kB
  • sloc: xml: 245,305; sh: 84,381; python: 33,093; makefile: 27
file content (39 lines) | stat: -rw-r--r-- 2,162 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
documentation_complete: true

title: 'Configure auditd Data Retention'

description: |-
    The audit system writes data to <tt>/var/log/audit/audit.log</tt>. By default,
    <tt>auditd</tt> rotates 5 logs by size (6MB), retaining a maximum of 30MB of
    data in total, and refuses to write entries when the disk is too
    full. This minimizes the risk of audit data filling its partition
    and impacting other services. This also minimizes the risk of the audit
    daemon temporarily disabling the system if it cannot write audit log (which
    it can be configured to do).

    For a busy
    system or a system which is thoroughly auditing system activity, the default settings
    for data retention may be
     insufficient. The log file size needed will depend heavily on what types
    of events are being audited. First configure auditing to log all the events of
    interest. Then monitor the log size manually for awhile to determine what file
    size will allow you to keep the required data for the correct time period.
    <br /><br />
    Using a dedicated partition for <tt>/var/log/audit</tt> prevents the
    <tt>auditd</tt> logs from disrupting system functionality if they fill, and,
    more importantly, prevents other activity in <tt>/var</tt> from filling the
    partition and stopping the audit trail. (The audit logs are size-limited and
    therefore unlikely to grow without bound unless configured to do so.) Some
    machines may have requirements that no actions occur which cannot be audited.
    If this is the case, then <tt>auditd</tt> can be configured to halt the machine
    if it runs out of space. <b>Note:</b> Since older logs are rotated,
    configuring <tt>auditd</tt> this way does not prevent older logs from being
    rotated away before they can be viewed.

    <i>If your system is configured to halt when logging cannot be performed, make
    sure this can never happen under normal circumstances! Ensure that
    <tt>/var/log/audit</tt> is on its own partition, and that this partition is
    larger than the maximum amount of data <tt>auditd</tt> will retain
    normally.</i>

platform: package[audit]