Set auditd failure flag [+Docs]

This patch sets the auditd failure flag and controls what auditd does when there is an auditing failure. Changing this setting can cause a system to go offline and this is noted thoroughly in the documentation. Implements: blueprint security-rhel7-stig Change-Id: I3eb76804a0335596afd3591ae0133fca7568d0cb
2016-11-29 16:20:32 -06:00 · 2016-11-29 16:20:32 -06:00 · 0eece28000
parent 04ff6e1c89
commit 0eece28000
4 changed files with 31 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -389,6 +389,8 @@ security_unattended_upgrades_notifications: false
 #security_audisp_remote_server: '10.0.21.1'                  # RHEL-07-030330
 # Encrypt audit records when they are transmitted over the network.
 #security_audisp_enable_krb5: yes                            # RHEL-07-030331
+# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
+security_rhel7_audit_failure_flag: 1                         # RHEL-07-030090
 # Add audit rules for commands/syscalls.
 security_rhel7_audit_chsh: yes                               # RHEL-07-030525
 security_rhel7_audit_chage: yes                              # RHEL-07-030513
--- a/doc/metadata/rhel7/RHEL-07-030090.rst
+++ b/doc/metadata/rhel7/RHEL-07-030090.rst
@ -1,7 +1,29 @@
 ---
 id: RHEL-07-030090
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The audit daemon takes various actions when there is an auditing failure. There
+are three options for the ``-f`` flag for ``auditctl``:
+
+* ``0``: In the event of an auditing failure, do nothing.
+* ``1``: In the event of an auditing failure, write messages to the kernel log.
+* ``2``: In the event of an auditing failure, cause a kernel panic.
+
+Most operating systems set the failure flag to ``1`` by default, which
+maximizes system availability while still causing an alert. The tasks in the
+security role set the flag to ``1`` by default.
+
+Deployers can adjust the following Ansible variable to customize the failure
+flag:
+
+.. code-block:: yaml
+
+    security_rhel7_audit_failure_flag: 1
+
+.. warning::
+
+    Setting the failure flag to ``2`` is **strongly** discouraged unless the
+    security of the system takes priority over its availability. Any failure in
+    auditing causes a kernel panic and the system requires a hard reboot.
--- a/tasks/rhel7stig/auditd.yml
+++ b/tasks/rhel7stig/auditd.yml
@ -133,3 +133,4 @@
    - RHEL-07-030673
    - RHEL-07-030674
    - RHEL-07-030710
+    - RHEL-07-030090
--- a/templates/osas-auditd-rhel7.j2
+++ b/templates/osas-auditd-rhel7.j2
@ -85,3 +85,6 @@
 -w /etc/shadow -p wa -k RHEL-07-030710
 -w /etc/security/opasswd -p wa -k RHEL-07-030710
 {% endif %}
+
+# Set the auditd failure flag
+-f {{ security_rhel7_audit_failure_flag }}