Set audisp failure options [+Docs]

This patch adds configurations for audisp when the disk is rull on the remote server or when there is a network interruption between the local system and the remote audisp server. It also explicitly installs auditd/audisp-plugins to ensure that auditd and the remote audisp log sender are installed on CentOS/RHEL. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I589ae00a70582ee3f5d48453b3c20f23752adfa6
2016-12-06 08:57:23 -06:00 · 2016-12-06 08:57:23 -06:00 · fd4fa2d3d7
parent 439cd3d776
commit fd4fa2d3d7
5 changed files with 67 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -391,6 +391,9 @@ security_unattended_upgrades_notifications: false
 #security_audisp_enable_krb5: yes                            # RHEL-07-030331
 # Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
 security_rhel7_audit_failure_flag: 1                         # RHEL-07-030090
+# Set the action to take when the disk is full or network events cannot be sent.
+security_rhel7_auditd_disk_full_action: syslog               # RHEL-07-030340
+security_rhel7_auditd_network_failure_action: syslog         # RHEL-07-030340
 # Add audit rules for commands/syscalls.
 security_rhel7_audit_chsh: yes                               # RHEL-07-030525
 security_rhel7_audit_chage: yes                              # RHEL-07-030513
--- a/doc/metadata/rhel7/RHEL-07-030340.rst
+++ b/doc/metadata/rhel7/RHEL-07-030340.rst
@ -1,7 +1,32 @@
 ---
 id: RHEL-07-030340
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The tasks in the security role set the ``disk_full_action`` and
+``network_failure_action`` to ``syslog`` in the audispd remote configuration.
+In the event of a full disk on the remote log server or a network interruption,
+the local system sends warnings to syslog. This is the safest option since it
+maximizes the availability of the local system.
+
+Deployers have two other options available:
+
+* ``single``: Switch the local server into single-user mode in the event of a
+  logging failure.
+
+* ``halt``: Shut off the local server gracefully in the event of a logging
+  failure.
+
+.. warning::
+
+    Choosing ``single`` or ``halt`` causes a server to go into a degraded or
+    offline state immediately after a logging failure.
+
+Deployers can adjust these configurations by setting the following Ansible
+variables (the safe defaults are shown here):
+
+.. code-block:: yaml
+
+    security_rhel7_auditd_disk_full_action: syslog
+    security_rhel7_auditd_network_failure_action: syslog
--- a/tasks/rhel7stig/auditd.yml
+++ b/tasks/rhel7stig/auditd.yml
@ -21,6 +21,15 @@
  tags:
    - always

+- name: Verify that audisp-remote.conf exists
+  stat:
+    path: /etc/audisp/audisp-remote.conf
+  register: audisp_remote_conf
+  check_mode: no
+  tags:
+    - always
+
+
 - name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
  lineinfile:
    dest: /etc/audisp/audisp-remote.conf
@ -135,6 +144,22 @@
    - RHEL-07-030710
    - RHEL-07-030090

+- name: Adjust auditd/audispd configurations
+  lineinfile:
+    dest: "{{ item.config }}"
+    regexp: '^#?{{ item.parameter }}\s*='
+    line: "{{ item.parameter }} = {{ item.value }}"
+  with_items: "{{ auditd_config }}"
+  when:
+    - auditd_conf.stat.exists
+    - audisp_remote_conf.stat.exists
+  notify:
+    - restart auditd
+  tags:
+    - high
+    - auditd
+    - RHEL-07-030340
+
 - name: Ensure auditd is running and enabled at boot time
  service:
    name: auditd
--- a/vars/common.yml
+++ b/vars/common.yml
@ -20,6 +20,15 @@
 #   - vars/redhat.yml
 #   - vars/ubuntu.yml

+## auditd configuration
+auditd_config:
+  - parameter: disk_full_action
+    value: "{{ security_rhel7_auditd_disk_full_action }}"
+    config: /etc/audisp/audisp-remote.conf
+  - parameter: network_failure_action
+    value: "{{ security_rhel7_auditd_network_failure_action }}"
+    config: /etc/audisp/audisp-remote.conf
+
 ## auditd rules
 # This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules
 # for various commands and syscalls.
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -96,6 +96,8 @@ stig_packages:
 # RHEL 7 STIG: Packages to add/remove
 stig_packages_rhel7:
  - packages:
+      - audispd-plugins
+      - audit
      - openssh-clients
      - openssh-server
      - screen