Merge "V-3863{3,4,6}: Audit log files"

doc/source/developer-notes/V-38633.rst

@@ -0,0 +1,12 @@
+Ubuntu's default setting for ``max_log_files`` matches the STIG requirement of
+rotating logs when they reach 6MB. The Ansible task for this STIG
+requirement ensures that the secure default is maintained.
+
+Deployers who want to exceed the STIG guideline can increase the size of logs
+by adjusting the following Ansible variable:
+
+.. code-block:: yaml
+
+    max_log_file: 6
+
+

doc/source/developer-notes/V-38634.rst

@@ -0,0 +1,10 @@
+Ubuntu's default action for ``max_log_file_action`` is to rotate the logs.
+This meets the STIG requirements and the Ansible task will ensure that the
+secure default is maintained.
+
+Use caution when changing this option. Certain values, like ``SUSPEND`` will
+cause the audit daemon to lock the machine when the maximum size for a log
+file is reached. Review the audit documentation carefully before making
+adjustments.
+
+

doc/source/developer-notes/V-38636.rst

@@ -0,0 +1,12 @@
+Ubuntu keeps 5 rotated logs with the ``num_logs`` option and this meets the
+STIG requirement. The Ansible task will ensure that the secure default is
+maintained.
+
+Deployers who want to allow logs to grow to larger sizes prior to rotation can
+adjust the following Ansible variable:
+
+.. code-block:: yaml
+
+    num_logs: 5
+
+

openstack-ansible-security/defaults/main.yml

@@ -135,6 +135,17 @@ disk_full_action: SYSLOG                          # V-38468
 # Review the documentation for V-38470 before changing this option.
 # **DANGER**
 space_left_action: SYSLOG                         # V-38470
+# Set the maximum size of a rotated log file. Ubuntu's default
+# matches the STIG requirement of 6MB.
+max_log_file: 6                                   # V 38633
+# **DANGER**
+# Sets the action to take when log files reach the maximum file size.
+# Review the documentation for V-38634 before changing this option.
+# **DANGER**
+max_log_file_action: ROTATE                       # V-38634
+# Set the number of rotated audit logs to keep.  Ubuntu has 5 as the default
+# and this matches the STIG's requirements.
+num_logs: 5                                       # V-38636
 
 ## Authentication
 # V-38475 - There is no password length requirement by default in Ubuntu

openstack-ansible-security/tasks/auditd.yml

@@ -36,6 +36,42 @@
     - V-38632
     - V-38631
 
+- name: V-38633 - The system must set a maximum audit log file size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?max_log_file ="
+    line: "max_log_file = {{ max_log_file }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38633
+
+- name: V-38634 - The system must rotate audit log files that reach the max file size
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?max_log_file_action ="
+    line: "max_log_file_action = {{ max_log_file_action }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38634
+
+- name: V-38636 - The system must retain enough rotated audit logs to cover the required log retention period.
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?num_logs ="
+    line: "num_logs = {{ num_logs }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38636
+
 - name: V-38445 - Audit log files must be group-owned by root
   file:
     dest: /var/log/audit/