Configure auditd Number of Logs Retained
Description
Determine how many log files
auditd should retain when it rotates logs.
Edit the file /etc/audit/auditd.conf. Add or modify the following
line, substituting NUMLOGS with the correct value of 5:
Set the value to 5 for general-purpose systems.
Note that values less than 2 result in no log rotation.
Rationale
The total storage for audit log files must be large enough to retain
log information over the period required. This is a function of the maximum log
file size and the number of logs retained.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var\_auditd\_num\_logs='5'
AUDITCONFIG=/etc/audit/auditd.conf
# Test if the config\_file is a symbolic link. If so, use --follow-symlinks with sed.
# Otherwise, regular sed command will do.
sed\_command=('sed' '-i')
if test -L "$AUDITCONFIG"; then
sed\_command+=('--follow-symlinks')
fi
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^num\_logs")
# shellcheck disable=SC2059
printf -v formatted\_output "%s = %s" "$stripped\_key" "$var\_auditd\_num\_logs"
# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^num\_logs\\>" "$AUDITCONFIG"; then
escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
"${sed\_command[@]}" "s/^num\_logs\\>.\*/$escaped\_formatted\_output/gi" "$AUDITCONFIG"
else
# \n is precaution for case where file ends without trailing newline
printf '%s\n' "$formatted\_output" >> "$AUDITCONFIG"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
