From 6ce54e019c1743a6e794087cb2ffeb405d25f5f8 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Thu, 8 Oct 2015 09:36:28 -0500
Subject: [PATCH] V-3863{3,4,6}: Audit log files

Implements: blueprint security-hardening

Change-Id: Iea8c03d78b81273d8373029c4d18115136d0abf1
---
 doc/source/developer-notes/V-38633.rst       | 12 +++++++
 doc/source/developer-notes/V-38634.rst       | 10 ++++++
 doc/source/developer-notes/V-38636.rst       | 12 +++++++
 openstack-ansible-security/defaults/main.yml | 11 ++++++
 openstack-ansible-security/tasks/auditd.yml  | 36 ++++++++++++++++++++
 5 files changed, 81 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38633.rst
 create mode 100644 doc/source/developer-notes/V-38634.rst
 create mode 100644 doc/source/developer-notes/V-38636.rst

diff --git a/doc/source/developer-notes/V-38633.rst b/doc/source/developer-notes/V-38633.rst
new file mode 100644
index 00000000..b03c4f71
--- /dev/null
+++ b/doc/source/developer-notes/V-38633.rst
@@ -0,0 +1,12 @@
+Ubuntu's default setting for ``max_log_files`` matches the STIG requirement of
+rotating logs when they reach 6MB. The Ansible task for this STIG
+requirement ensures that the secure default is maintained.
+
+Deployers who want to exceed the STIG guideline can increase the size of logs
+by adjusting the following Ansible variable:
+
+.. code-block:: yaml
+
+    max_log_file: 6
+
+
diff --git a/doc/source/developer-notes/V-38634.rst b/doc/source/developer-notes/V-38634.rst
new file mode 100644
index 00000000..278e1a30
--- /dev/null
+++ b/doc/source/developer-notes/V-38634.rst
@@ -0,0 +1,10 @@
+Ubuntu's default action for ``max_log_file_action`` is to rotate the logs.
+This meets the STIG requirements and the Ansible task will ensure that the
+secure default is maintained.
+
+Use caution when changing this option. Certain values, like ``SUSPEND`` will
+cause the audit daemon to lock the machine when the maximum size for a log
+file is reached. Review the audit documentation carefully before making
+adjustments.
+
+
diff --git a/doc/source/developer-notes/V-38636.rst b/doc/source/developer-notes/V-38636.rst
new file mode 100644
index 00000000..1711229f
--- /dev/null
+++ b/doc/source/developer-notes/V-38636.rst
@@ -0,0 +1,12 @@
+Ubuntu keeps 5 rotated logs with the ``num_logs`` option and this meets the
+STIG requirement. The Ansible task will ensure that the secure default is
+maintained.
+
+Deployers who want to allow logs to grow to larger sizes prior to rotation can
+adjust the following Ansible variable:
+
+.. code-block:: yaml
+
+    num_logs: 5
+
+
diff --git a/openstack-ansible-security/defaults/main.yml b/openstack-ansible-security/defaults/main.yml
index 7d247c16..7ace1210 100644
--- a/openstack-ansible-security/defaults/main.yml
+++ b/openstack-ansible-security/defaults/main.yml
@@ -135,6 +135,17 @@ disk_full_action: SYSLOG                          # V-38468
 # Review the documentation for V-38470 before changing this option.
 # **DANGER**
 space_left_action: SYSLOG                         # V-38470
+# Set the maximum size of a rotated log file. Ubuntu's default
+# matches the STIG requirement of 6MB.
+max_log_file: 6                                   # V 38633
+# **DANGER**
+# Sets the action to take when log files reach the maximum file size.
+# Review the documentation for V-38634 before changing this option.
+# **DANGER**
+max_log_file_action: ROTATE                       # V-38634
+# Set the number of rotated audit logs to keep.  Ubuntu has 5 as the default
+# and this matches the STIG's requirements.
+num_logs: 5                                       # V-38636
 
 ## Authentication
 # V-38475 - There is no password length requirement by default in Ubuntu
diff --git a/openstack-ansible-security/tasks/auditd.yml b/openstack-ansible-security/tasks/auditd.yml
index a78455df..c1fe2859 100644
--- a/openstack-ansible-security/tasks/auditd.yml
+++ b/openstack-ansible-security/tasks/auditd.yml
@@ -36,6 +36,42 @@
     - V-38632
     - V-38631
 
+- name: V-38633 - The system must set a maximum audit log file size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?max_log_file ="
+    line: "max_log_file = {{ max_log_file }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38633
+
+- name: V-38634 - The system must rotate audit log files that reach the max file size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?max_log_file_action ="
+    line: "max_log_file_action = {{ max_log_file_action }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38634
+
+- name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period.
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?num_logs ="
+    line: "num_logs = {{ num_logs }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38636
+
 - name: V-38445 - Audit log files must be group-owned by root
   file:
     dest: /var/log/audit/