V-53481: Auditd disk space + single-user mode
Implements: blueprint security-hardening Change-Id: I3839996608f8b5e7805e0a313c625238a4644868
This commit is contained in:
Major Hayden
parent
241f6cd074
commit
2b9a1cce25
@ -147,6 +147,13 @@ max_log_file_action: ROTATE # V-38634
|
|||||||
# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default
|
# Set the number of rotated audit logs to keep. Ubuntu has 5 as the default
|
||||||
# and this matches the STIG's requirements.
|
# and this matches the STIG's requirements.
|
||||||
num_logs: 5 # V-38636
|
num_logs: 5 # V-38636
|
||||||
|
# **IMMINENT DANGER**
|
||||||
|
# The STIG says that the system should switch to single user mode when the
|
||||||
|
# storage capacity gets very low. This can cause serious service disruptions
|
||||||
|
# and should only be set to 'single' for deployers in extremely high security
|
||||||
|
# environments. Ubuntu's default is SUSPEND, which will suspend logging.
|
||||||
|
# **IMMENENT DANGER**
|
||||||
|
admin_space_left_action: SUSPEND # V-54381
|
||||||
|
|
||||||
## Authentication
|
## Authentication
|
||||||
# V-38475 - There is no password length requirement by default in Ubuntu
|
# V-38475 - There is no password length requirement by default in Ubuntu
|
||||||
|
|||||||
17
doc/source/developer-notes/V-54381.rst
Normal file
17
doc/source/developer-notes/V-54381.rst
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
**Exception**
|
||||||
|
|
||||||
|
The STIG requires that the audit system must switch the entire system into
|
||||||
|
single-user mode when the space for logging becomes dangerously low.
|
||||||
|
|
||||||
|
**This will cause serious service disruptions for any environment and should
|
||||||
|
only be enabled for extremely high security environments.**
|
||||||
|
|
||||||
|
Ubuntu sets ``admin_space_left_action`` to ``SUSPEND`` by default, and this
|
||||||
|
will cause logging to be temporarily suspended until disk space is freed.
|
||||||
|
|
||||||
|
For extremely high security environments, this Ansible variable can be
|
||||||
|
provided to meet the requirements of the STIG:
|
||||||
|
|
||||||
|
.. code-block:: yaml
|
||||||
|
|
||||||
|
admin_space_left_action: SINGLE
|
||||||
@ -150,3 +150,15 @@
|
|||||||
- auditd
|
- auditd
|
||||||
- cat3
|
- cat3
|
||||||
- V-38471
|
- V-38471
|
||||||
|
|
||||||
|
- name: V-54381 - The audit system must switch to single user mode when disk space is low
|
||||||
|
lineinfile:
|
||||||
|
dest: /etc/audit/auditd.conf
|
||||||
|
regexp: "^(#)?admin_space_left_action"
|
||||||
|
line: "admin_space_left_action = {{ admin_space_left_action }}"
|
||||||
|
notify:
|
||||||
|
- restart auditd
|
||||||
|
tags:
|
||||||
|
- auditd
|
||||||
|
- cat2
|
||||||
|
- V-54381
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user