Merge "V-38680: Audit log capacity notifications"

defaults/main.yml

@@ -156,6 +156,9 @@ max_log_file_action: ROTATE                       # V-38634
 # Set the number of rotated audit logs to keep.  Ubuntu has 5 as the default
 # and this matches the STIG's requirements.
 num_logs: 5                                       # V-38636
+# Set the email address of someone who can receive and respond to notifications
+# about low disk space for log volumes.
+action_mail_acct: root                            # V-38680
 # **IMMINENT DANGER**
 # The STIG says that the system should switch to single user mode when the
 # storage capacity gets very low. This can cause serious service disruptions

doc/source/developer-notes/V-38680.rst

@@ -0,0 +1,6 @@
+By default, Ubuntu sets the default recipient for storage capacity issues in
+auditd to the root user. The Ansible task ensures that the default remains set.
+
+Deployers are strongly urged to review V-38446 to ensure they have set the
+``root_forward_email`` variable so that the email system can route these
+critical notifications to a monitored mailbox.

tasks/auditd.yml

@@ -161,6 +161,18 @@
     - cat2
     - V-38470
 
+- name: V-38680 - Audit system must send email notifications when storage capacity is low
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?action_mail_acct"
+    line: "action_mail_acct = {{ action_mail_acct }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38680
+
 - name: V-38495 - Audit log files must be owned by root
   file:
     dest: /var/log/audit/