diff --git a/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
new file mode 100644
index 0000000000000000000000000000000000000000..6892e797b6be22ebe236acbc55ce98172008f131
--- /dev/null
+++ b/benchmarks/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.md
@@ -0,0 +1,30 @@
+# 2.25 确保审计日志不会自动删除
+
+## 安全等级
+
+- Level 3
+
+## 描述：
+
+出于安全考虑，维护长时间的审计历史记录利大于弊。在`/etc/audit/auditd.conf`中，`max_log_file_action`配置项指定`max_log_file`容量达到设定的值时采取的动作。当该配置项设置为`keep_logs`时，系统将循环日志文件但会忽略num_logs参数（也就是不删除日志文件）。
+
+## 修复建议
+
+在`/etc/audit/auditd.conf`中将`max_log_file_action`选项设置为`keep_logs`：
+
+```bash
+max_log_file_action = keep_logs
+```
+
+## 扫描检测
+
+运行以下命令，并验证是否有如下输出：
+
+```bash
+# grep max_log_file_action /etc/audit/auditd.conf
+max_log_file_action = keep_logs
+```
+
+## 参考：
+
+- cis: <https://www.cisecurity.org/benchmark/aliyun_linux>
\ No newline at end of file
diff --git a/docs/summary-of-rules.md b/docs/summary-of-rules.md
index 75c80019efc7b43e046c4c98ddf9c6dbfe5c86fd..6417f5bd610127815f650419f8ca1c8ce082fd78 100644
--- a/docs/summary-of-rules.md
+++ b/docs/summary-of-rules.md
@@ -75,6 +75,7 @@
 | 2.22     | 2.22-ensure-that-changes-to-the-system-management-scope-sudoers-are-collected.md | 2.22 确保收集对系统管理范围（sudoers）的更改         | benchmarks/logging-and-auditing     | 3     |
 | 2.23     | 2.23-ensure-that-events-that-modify-user-group-information-are-collected.md | 2.23 确保收集修改用户/组信息的事件                   | benchmarks/logging-and-auditing     | 3     |
 | 2.24     | 2.24-ensure-successful-and-unsuccessful-attempts-to-use-the-chsh-command-are-recorded.md | 2.24 确保记录成功或不成功使用chsh命令          | benchmarks/logging-and-auditing    | 3     |
+| 2.25     | 2.25-ensure-audit-logs-are-not-automatically-deleted.md | 2.25 确保审计日志不会自动删除          | benchmarks/logging-and-auditing    | 3     |
 | 3.1      | 3.1-disable-http-server.md                                   | 3.1 禁用HTTP Server                                  | benchmarks/services                 | 1     |
 | 3.2      | 3.2-disable-ftp-server.md                                    | 3.2 禁用FTP Server                                   | benchmarks/services                 | 1     |
 | 3.3      | 3.3-disable-dns-server.md                                    | 3.3 禁用DNS Server                                   | benchmarks/services                 | 1     |
diff --git a/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
new file mode 100644
index 0000000000000000000000000000000000000000..f97599e54bc13d64b16f1b81d507d682bbc4bd94
--- /dev/null
+++ b/remediation-kits/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+grep -Psq "^max_log_file_action\s*=.*" /etc/audit/auditd.conf && sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf
\ No newline at end of file
diff --git a/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
new file mode 100644
index 0000000000000000000000000000000000000000..a5ed931835712f59ff6c513277db811b39419749
--- /dev/null
+++ b/scanners/logging-and-auditing/2.25-ensure-audit-logs-are-not-automatically-deleted.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+ 
+[[ -e /etc/audit/auditd.conf ]] && output=$(grep -P "^max_log_file_action\s*=.*" /etc/audit/auditd.conf | cut -f2 -d= | sed -e 's/^[ ]*//g')
+
+if [[ "$output" == "keep_logs" ]] ; then
+    echo "pass"
+else
+    echo "fail"
+fi
\ No newline at end of file