Set space_left in auditd [+Docs]

This patch sets the `space_left` in the auditd config to 25% of the disk space on the root disk. Deployers can customize this variable. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I7a91a756fb920decbd1056e7f11f7dd548f2cac8
2016-12-06 09:40:24 -06:00 · 2016-12-06 09:40:24 -06:00 · 42ca47bb41
parent 8268a2ead6
commit 42ca47bb41
3 changed files with 18 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -394,6 +394,8 @@ security_rhel7_audit_failure_flag: 1                         # RHEL-07-030090
 # Set the action to take when the disk is full or network events cannot be sent.
 security_rhel7_auditd_disk_full_action: syslog               # RHEL-07-030340
 security_rhel7_auditd_network_failure_action: syslog         # RHEL-07-030340
+# Size of remaining disk space (in MB) that triggers alerts.
+security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # RHEL-07-030350
 # Add audit rules for commands/syscalls.
 security_rhel7_audit_chsh: yes                               # RHEL-07-030525
 security_rhel7_audit_chage: yes                              # RHEL-07-030513
--- a/doc/metadata/rhel7/RHEL-07-030350.rst
+++ b/doc/metadata/rhel7/RHEL-07-030350.rst
@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030350
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The ``space_left`` configuration is set to 25% of the size of the disk mounted
+on ``/``.  This calculation is done automatically.
+
+Deployers can set a custom threshold for the ``space_left`` configuration (in
+megabytes) by setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    # Example: A setting of 1GB (1024MB)
+    security_rhel7_auditd_space_left: 1024
--- a/vars/common.yml
+++ b/vars/common.yml
@ -28,6 +28,10 @@ auditd_config:
  - parameter: network_failure_action
    value: "{{ security_rhel7_auditd_network_failure_action }}"
    config: /etc/audisp/audisp-remote.conf
+  - parameter: space_left
+    value: "{{ security_rhel7_auditd_space_left }}"
+    config: /etc/audit/auditd.conf
+

 ## auditd rules
 # This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules