Disable auditd rules for deletions

The rules recommended by the STIG for monitoring deleted files/directories causes significant load during OpenStack-Ansible deployments and during package updates. This is a blocker for integrating openstack-ansible-security with AIO builds in OpenStack-Ansible. Closes-Bug: 1535463 Change-Id: I5db355ad1b006da1cab2fafa09e415666b6d5f90
2016-01-19 09:04:19 -06:00 · 2016-01-19 09:04:19 -06:00 · 62e1600993
commit 62e1600993
parent 779430a78e
2 changed files with 14 additions and 2 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -67,7 +67,7 @@ auditd_rules:
  DAC_fsetxattr: yes                              # V-38557
  DAC_lsetxattr: yes                              # V-38561
  DAC_setxattr: yes                               # V-38565
-  deletions: yes                                  # V-38575
+  deletions: no                                   # V-38575
  failed_access: yes                              # V-38566
  filesystem_mounts: yes                          # V-38568
  kernel_modules: yes                             # V-38580
--- a/doc/source/developer-notes/V-38575.rst
+++ b/doc/source/developer-notes/V-38575.rst
@ -1 +1,13 @@
-Rules are added for auditing deletions of files and programs.
+**Exception**
+
+The audit rules for monitoring deleted files can cause very high system load
+during OpenStack-Ansible deployments and during package updates using apt.
+It's recommended that deployers keep these rules disabled unless they're
+explicitly required.
+
+These rules are disabled by default, but they can be enabled by setting the
+following Ansible variable:
+
+.. code-block:: yaml
+
+    auditd_rules['deletions'] = no