Details
Normally, auditd will hold 4 logs of maximum log file size before deleting older log files.
*Rationale*
In high security contexts, the benefits of maintaining a long audit history exceed the cost of
storing the audit history.
Solution
Add the following line to the /etc/audit/auditd.conf file.max_log_file_action = keep_logs
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.