Retain logs for minimum 180 days.
389-LM-002 - severity: medium
| Field | Value |
|---|---|
| Control ID | 389-LM-002 |
| Severity | medium |
| Type | preventive |
| Owner | IT Operations |
| Status | authored |
| NIST 800-53 | AU-11 |
| DISA SRG | SRG-APP-000086 |
Rationale¶
Short log retention destroys the evidentiary record precisely when it is needed most: slow-and-low attacks, insider data exfiltration, and stealthy lateral movement through directory group memberships often go undetected for weeks or months before discovery. If local logs have already been rotated away by the time an investigation begins, reconstruction of the attack timeline becomes impossible. Retaining access, error, and audit logs for a minimum of 180 days aligns with NIST SP 800-53 AU-11 (audit record retention) and common regulatory baselines including PCI DSS and DISA SRG-APP-000086, ensuring the forensic depth required to produce credible incident timelines. Without an explicit retention policy, 389DS default rotation periods may purge logs in days, silently eliminating compliance evidence and leaving the organization unable to demonstrate control effectiveness during an audit.
Check¶
Verify the access log expiration time is set to at least 180 days.
dsconf <instance> config get nsslapd-accesslog-logexpirationtime nsslapd-accesslog-logexpirationtimeunit
Remediation¶
Set the access, error, and audit log expiration to 180 days.
dsconf <instance> config replace nsslapd-accesslog-logexpirationtime=180 nsslapd-accesslog-logexpirationtimeunit=day
dsconf <instance> config replace nsslapd-errorlog-logexpirationtime=180 nsslapd-errorlog-logexpirationtimeunit=day
dsconf <instance> config replace nsslapd-auditlog-logexpirationtime=180 nsslapd-auditlog-logexpirationtimeunit=day
References¶
Implementation Notes¶
The fix command sets the expiration for all three log types - access, error,
and audit - because 389DS manages retention independently per log.
The logexpirationtimeunit attribute accepts day, week, or month; use
day to keep the policy unambiguous.
Retention on the local filesystem must be balanced against available disk
space: review nsslapd-accesslog-logmaxdiskspace (and equivalent
errorlog/auditlog attributes) to cap maximum disk usage.
For durable, tamper-resistant retention, rely on centralized log forwarding
(389-LM-003) rather than local file rotation alone, and archive logs to
object storage or a WORM-capable repository when policy requires it.
These attribute changes take effect without a server restart.