Merge "V-38678: Auditd space_left size"

defaults/main.yml

@@ -133,6 +133,10 @@ disk_error_action: SYSLOG                         # V-38464
 # V-38468 before changing this option.
 # **DANGER**
 disk_full_action: SYSLOG                          # V-38468
+# V-38678 - Set the amount of megabytes left when the space_left_action
+# triggers. The STIG guideline doesn't specify a size, but Ubuntu chooses a
+# default of 75MB, which is reasonable.
+space_left: 75                                    # V-38678
 # **DANGER**
 # Set an action to occur when the disk is approaching its capacity.
 # Review the documentation for V-38470 before changing this option.

doc/source/developer-notes/V-38678.rst

@@ -0,0 +1,7 @@
+When auditd notices that free disk space on its logging partition is low, it
+will trigger the ``space_left_action``. The threshold of remaining disk space
+is configured by ``space_left`` in ``/etc/audit/auditd.conf``.
+
+By default, Ubuntu sets this value to 75 megabytes. The STIG doesn't set a
+specific requirement for the exact size, so the Ansible task will ensure that
+the Ubuntu default of 75 megabytes is set.

tasks/auditd.yml

@@ -137,6 +137,18 @@
     - cat2
     - V-38468
 
+- name: V-38678 - Lower limit of available disk space when auditd triggers space_left_action
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?space_left"
+    line: "space_left = {{ space_left }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38678
+
 - name: V-38470 - The audit system must take action when the disk is almost full
   lineinfile:
     dest: /etc/audit/auditd.conf