openstack/ansible-hardening
Code Issues Proposed changes
ansible-hardening/doc/metadata/rhel7/V-72121.rst
Major Hayden dccce1d5cc
Handle RHEL 7 STIG renumbering 
This patch gets the docs adjusted to work with the new RHEL 7 STIG
version 1 release. The new STIG release has changed all of the
numbering, but it maintains a link to (most) of the old STIG IDs in
the XML.

Closes-bug: 1676865
Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
2017-04-04 07:22:12 -05:00

735 B
Raw Blame History

---id: V-72121 status: opt-in tag: auditd ---

The STIG requires that all lremovexattr syscalls are audited, but this change creates a significant increase in logging on most systems. This increase can cause some systems to run out of disk space for logs.

Warning

This rule is disabled by default to avoid high CPU usage and disk space exhaustion. Deployers should only enable this rule if they have tested it thoroughly in a non-production environment with system health monitoring enabled.

Deployers can opt in for this change by setting the following Ansible variable:

security_rhel7_audit_lremovexattr: yes

This rule is compatible with x86, x86_64, and ppc64 architectures.