fd4fa2d3d7
This patch adds configurations for audisp when the disk is rull on the remote server or when there is a network interruption between the local system and the remote audisp server. It also explicitly installs auditd/audisp-plugins to ensure that auditd and the remote audisp log sender are installed on CentOS/RHEL. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: I589ae00a70582ee3f5d48453b3c20f23752adfa6
1.0 KiB
1.0 KiB
---id: RHEL-07-030340 status: implemented tag: auditd ---
The tasks in the security role set the disk_full_action
and network_failure_action to syslog in the
audispd remote configuration. In the event of a full disk on the remote
log server or a network interruption, the local system sends warnings to
syslog. This is the safest option since it maximizes the availability of
the local system.
Deployers have two other options available:
single: Switch the local server into single-user mode in the event of a logging failure.halt: Shut off the local server gracefully in the event of a logging failure.
Warning
Choosing single or halt causes a server to
go into a degraded or offline state immediately after a logging
failure.
Deployers can adjust these configurations by setting the following Ansible variables (the safe defaults are shown here):
security_rhel7_auditd_disk_full_action: syslog
security_rhel7_auditd_network_failure_action: syslog