Set audisp failure options [+Docs]
This patch adds configurations for audisp when the disk is rull on the remote server or when there is a network interruption between the local system and the remote audisp server. It also explicitly installs auditd/audisp-plugins to ensure that auditd and the remote audisp log sender are installed on CentOS/RHEL. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I589ae00a70582ee3f5d48453b3c20f23752adfa6
This commit is contained in:
parent
439cd3d776
commit
fd4fa2d3d7
|
@ -391,6 +391,9 @@ security_unattended_upgrades_notifications: false
|
|||
#security_audisp_enable_krb5: yes # RHEL-07-030331
|
||||
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
|
||||
security_rhel7_audit_failure_flag: 1 # RHEL-07-030090
|
||||
# Set the action to take when the disk is full or network events cannot be sent.
|
||||
security_rhel7_auditd_disk_full_action: syslog # RHEL-07-030340
|
||||
security_rhel7_auditd_network_failure_action: syslog # RHEL-07-030340
|
||||
# Add audit rules for commands/syscalls.
|
||||
security_rhel7_audit_chsh: yes # RHEL-07-030525
|
||||
security_rhel7_audit_chage: yes # RHEL-07-030513
|
||||
|
|
|
@ -1,7 +1,32 @@
|
|||
---
|
||||
id: RHEL-07-030340
|
||||
status: not implemented
|
||||
tag: misc
|
||||
status: implemented
|
||||
tag: auditd
|
||||
---
|
||||
|
||||
This STIG requirement is not yet implemented.
|
||||
The tasks in the security role set the ``disk_full_action`` and
|
||||
``network_failure_action`` to ``syslog`` in the audispd remote configuration.
|
||||
In the event of a full disk on the remote log server or a network interruption,
|
||||
the local system sends warnings to syslog. This is the safest option since it
|
||||
maximizes the availability of the local system.
|
||||
|
||||
Deployers have two other options available:
|
||||
|
||||
* ``single``: Switch the local server into single-user mode in the event of a
|
||||
logging failure.
|
||||
|
||||
* ``halt``: Shut off the local server gracefully in the event of a logging
|
||||
failure.
|
||||
|
||||
.. warning::
|
||||
|
||||
Choosing ``single`` or ``halt`` causes a server to go into a degraded or
|
||||
offline state immediately after a logging failure.
|
||||
|
||||
Deployers can adjust these configurations by setting the following Ansible
|
||||
variables (the safe defaults are shown here):
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
security_rhel7_auditd_disk_full_action: syslog
|
||||
security_rhel7_auditd_network_failure_action: syslog
|
||||
|
|
|
@ -21,6 +21,15 @@
|
|||
tags:
|
||||
- always
|
||||
|
||||
- name: Verify that audisp-remote.conf exists
|
||||
stat:
|
||||
path: /etc/audisp/audisp-remote.conf
|
||||
register: audisp_remote_conf
|
||||
check_mode: no
|
||||
tags:
|
||||
- always
|
||||
|
||||
|
||||
- name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
|
||||
lineinfile:
|
||||
dest: /etc/audisp/audisp-remote.conf
|
||||
|
@ -135,6 +144,22 @@
|
|||
- RHEL-07-030710
|
||||
- RHEL-07-030090
|
||||
|
||||
- name: Adjust auditd/audispd configurations
|
||||
lineinfile:
|
||||
dest: "{{ item.config }}"
|
||||
regexp: '^#?{{ item.parameter }}\s*='
|
||||
line: "{{ item.parameter }} = {{ item.value }}"
|
||||
with_items: "{{ auditd_config }}"
|
||||
when:
|
||||
- auditd_conf.stat.exists
|
||||
- audisp_remote_conf.stat.exists
|
||||
notify:
|
||||
- restart auditd
|
||||
tags:
|
||||
- high
|
||||
- auditd
|
||||
- RHEL-07-030340
|
||||
|
||||
- name: Ensure auditd is running and enabled at boot time
|
||||
service:
|
||||
name: auditd
|
||||
|
|
|
@ -20,6 +20,15 @@
|
|||
# - vars/redhat.yml
|
||||
# - vars/ubuntu.yml
|
||||
|
||||
## auditd configuration
|
||||
auditd_config:
|
||||
- parameter: disk_full_action
|
||||
value: "{{ security_rhel7_auditd_disk_full_action }}"
|
||||
config: /etc/audisp/audisp-remote.conf
|
||||
- parameter: network_failure_action
|
||||
value: "{{ security_rhel7_auditd_network_failure_action }}"
|
||||
config: /etc/audisp/audisp-remote.conf
|
||||
|
||||
## auditd rules
|
||||
# This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules
|
||||
# for various commands and syscalls.
|
||||
|
|
|
@ -96,6 +96,8 @@ stig_packages:
|
|||
# RHEL 7 STIG: Packages to add/remove
|
||||
stig_packages_rhel7:
|
||||
- packages:
|
||||
- audispd-plugins
|
||||
- audit
|
||||
- openssh-clients
|
||||
- openssh-server
|
||||
- screen
|
||||
|
|
Loading…
Reference in New Issue