V-53481: Auditd disk space + single-user mode

Implements: blueprint security-hardening Change-Id: I3839996608f8b5e7805e0a313c625238a4644868
2015-10-09 15:55:56 -05:00 · 2015-10-09 15:55:56 -05:00 · 2b9a1cce25
commit 2b9a1cce25
parent 241f6cd074
3 changed files with 36 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -147,6 +147,13 @@ max_log_file_action: ROTATE                       # V-38634
 # Set the number of rotated audit logs to keep.  Ubuntu has 5 as the default
 # and this matches the STIG's requirements.
 num_logs: 5                                       # V-38636
+# **IMMINENT DANGER**
+# The STIG says that the system should switch to single user mode when the
+# storage capacity gets very low. This can cause serious service disruptions
+# and should only be set to 'single' for deployers in extremely high security
+# environments. Ubuntu's default is SUSPEND, which will suspend logging.
+# **IMMENENT DANGER**
+admin_space_left_action: SUSPEND                  # V-54381

 ## Authentication
 # V-38475 - There is no password length requirement by default in Ubuntu
--- a/doc/source/developer-notes/V-54381.rst
+++ b/doc/source/developer-notes/V-54381.rst
@ -0,0 +1,17 @@
+**Exception**
+
+The STIG requires that the audit system must switch the entire system into
+single-user mode when the space for logging becomes dangerously low.
+
+**This will cause serious service disruptions for any environment and should
+only be enabled for extremely high security environments.**
+
+Ubuntu sets ``admin_space_left_action`` to ``SUSPEND`` by default, and this
+will cause logging to be temporarily suspended until disk space is freed.
+
+For extremely high security environments, this Ansible variable can be
+provided to meet the requirements of the STIG:
+
+.. code-block:: yaml
+
+    admin_space_left_action: SINGLE
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@ -150,3 +150,15 @@
    - auditd
    - cat3
    - V-38471
+
+- name: V-54381 - The audit system must switch to single user mode when disk space is low
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?admin_space_left_action"
+    line: "admin_space_left_action = {{ admin_space_left_action }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-54381