openstack/ansible-hardening
Code Issues Proposed changes

Merge "Set auditd failure flag [+Docs]"

Browse Source
This commit is contained in:
Jenkins
2016-12-01 00:16:30 +00:00
committed by Gerrit Code Review
parent 4d15cac6f7 0eece28000
commit a53ad667ae
4 changed files with 31 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@@ -389,6 +389,8 @@ security_unattended_upgrades_notifications: false
#security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330 #security_audisp_remote_server: '10.0.21.1' # RHEL-07-030330
# Encrypt audit records when they are transmitted over the network. # Encrypt audit records when they are transmitted over the network.
#security_audisp_enable_krb5: yes # RHEL-07-030331 #security_audisp_enable_krb5: yes # RHEL-07-030331
# Set the auditd failure flag. WARNING: READ DOCUMENTATION BEFORE CHANGING!
security_rhel7_audit_failure_flag: 1 # RHEL-07-030090
# Add audit rules for commands/syscalls. # Add audit rules for commands/syscalls.
security_rhel7_audit_chsh: yes # RHEL-07-030525 security_rhel7_audit_chsh: yes # RHEL-07-030525
security_rhel7_audit_chage: yes # RHEL-07-030513 security_rhel7_audit_chage: yes # RHEL-07-030513

28
doc/metadata/rhel7/RHEL-07-030090.rst
View File

@@ -1,7 +1,29 @@
--- ---
id: RHEL-07-030090 id: RHEL-07-030090
status: not implemented status: implemented
tag: misc tag: auditd
--- ---
This STIG requirement is not yet implemented. The audit daemon takes various actions when there is an auditing failure. There
are three options for the ``-f`` flag for ``auditctl``:
* ``0``: In the event of an auditing failure, do nothing.
* ``1``: In the event of an auditing failure, write messages to the kernel log.
* ``2``: In the event of an auditing failure, cause a kernel panic.
Most operating systems set the failure flag to ``1`` by default, which
maximizes system availability while still causing an alert. The tasks in the
security role set the flag to ``1`` by default.
Deployers can adjust the following Ansible variable to customize the failure
flag:
.. code-block:: yaml
security_rhel7_audit_failure_flag: 1
.. warning::
Setting the failure flag to ``2`` is **strongly** discouraged unless the
security of the system takes priority over its availability. Any failure in
auditing causes a kernel panic and the system requires a hard reboot.

1
tasks/rhel7stig/auditd.yml
View File

@@ -133,3 +133,4 @@
- RHEL-07-030673 - RHEL-07-030673
- RHEL-07-030674 - RHEL-07-030674
- RHEL-07-030710 - RHEL-07-030710
- RHEL-07-030090

3
templates/osas-auditd-rhel7.j2
View File

@@ -85,3 +85,6 @@
-w /etc/shadow -p wa -k RHEL-07-030710 -w /etc/shadow -p wa -k RHEL-07-030710
-w /etc/security/opasswd -p wa -k RHEL-07-030710 -w /etc/security/opasswd -p wa -k RHEL-07-030710
{% endif %} {% endif %}
# Set the auditd failure flag
-f {{ security_rhel7_audit_failure_flag }}