Transmit audit logs to other servers

This patch adds docs and tasks for RHEL-07-030330. Deployers should specify a host to receive audit logs. The tasks will only take action when a host is specified with `security_audisp_remote_server`. Implements: blueprint security-rhel7-stig Change-Id: Ic37764766f3e254e46bad6b81f274c0a8677ab6a
2016-11-08 16:16:08 -06:00 · 2016-11-08 16:16:08 -06:00 · 8daae8cd7e
commit 8daae8cd7e
parent a3e0f681d8
5 changed files with 43 additions and 3 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -384,6 +384,10 @@ security_unattended_upgrades_notifications: false
 #
 ###############################################################################

+## Audit daemon (auditd)
+# Send audit records to a different system using audisp.
+#security_audisp_remote_server: '10.0.21.1'                  # RHEL-07-030330
+
 ## Authentication (auth)
 # Disallow logins from accounts with blank/null passwords via PAM.
 security_disallow_blank_password_login: yes                  # RHEL-07-010260
--- a/doc/metadata/rhel7/RHEL-07-030330.rst
+++ b/doc/metadata/rhel7/RHEL-07-030330.rst
@ -1,7 +1,13 @@
 ---
 id: RHEL-07-030330
-status: not implemented
-tag: misc
+status: opt-in
+tag: auditd
 ---

-This STIG requirement is not yet implemented.
+The ``audispd`` service transmits audit logs to other servers.  Deployers
+should specify the address of another server that can receive audit logs by
+setting the following Ansible variable:
+
+.. code-block:: yaml
+
+    security_audisp_remote_server: '10.0.21.1'
--- a/tasks/rhel7stig/auditd.yml
+++ b/tasks/rhel7stig/auditd.yml
@ -0,0 +1,28 @@
+---
+# Copyright 2016, Rackspace US, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+- name: RHEL-07-030330 - The operating system must off-load audit records onto a different system or media from the system being audited
+  lineinfile:
+    dest: /etc/audisp/audisp-remote.conf
+    regexp: "^(#)?remote_server"
+    line: "remote_server = {{ security_audisp_remote_server }}"
+  when:
+    - security_audisp_remote_server is defined
+  notify:
+    - restart auditd
+  tags:
+    - medium
+    - auditd
+    - RHEL-07-030330
--- a/vars/redhat.yml
+++ b/vars/redhat.yml
@ -34,6 +34,7 @@ grub_update_cmd: "grub2-mkconfig -o /boot/grub/grub.conf"
 stig_packages:
  - packages:
      - audit
+      - audispd-plugins
      - aide
      - chrony
      - logrotate
--- a/vars/ubuntu.yml
+++ b/vars/ubuntu.yml
@ -37,6 +37,7 @@ grub_update_cmd: "update-grub"
 stig_packages:
  - packages:
      - auditd
+      - audispd-plugins
      - aide
      - aide-common
      - chrony