From 8186dba63996b25291d8a47dcbd6d327a58623c1 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Oct 2015 14:45:10 -0500
Subject: [PATCH] V-38680: Audit log capacity notifications

Implements: blueprint security-hardening

Change-Id: Ic346d99715bd00c08a0ba970905d6102ae5306c8
---
 defaults/main.yml                      |  3 +++
 doc/source/developer-notes/V-38680.rst |  6 ++++++
 tasks/auditd.yml                       | 12 ++++++++++++
 3 files changed, 21 insertions(+)
 create mode 100644 doc/source/developer-notes/V-38680.rst

diff --git a/defaults/main.yml b/defaults/main.yml
index 4b803370..0db09e67 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -149,6 +149,9 @@ max_log_file_action: ROTATE                       # V-38634
 # Set the number of rotated audit logs to keep.  Ubuntu has 5 as the default
 # and this matches the STIG's requirements.
 num_logs: 5                                       # V-38636
+# Set the email address of someone who can receive and respond to notifications
+# about low disk space for log volumes.
+action_mail_acct: root                            # V-38680
 # **IMMINENT DANGER**
 # The STIG says that the system should switch to single user mode when the
 # storage capacity gets very low. This can cause serious service disruptions
diff --git a/doc/source/developer-notes/V-38680.rst b/doc/source/developer-notes/V-38680.rst
new file mode 100644
index 00000000..2fae9bf0
--- /dev/null
+++ b/doc/source/developer-notes/V-38680.rst
@@ -0,0 +1,6 @@
+By default, Ubuntu sets the default recipient for storage capacity issues in
+auditd to the root user. The Ansible task ensures that the default remains set.
+
+Deployers are strongly urged to review V-38446 to ensure they have set the
+``root_forward_email`` variable so that the email system can route these
+critical notifications to a monitored mailbox.
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index 507d69a1..cad7c021 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -118,6 +118,18 @@
     - cat2
     - V-38470
 
+- name: V-38680 - Audit system must send email notifications when storage capacity is low
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?action_mail_acct"
+    line: "action_mail_acct = {{ action_mail_acct }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-38680
+
 - name: V-38495 - Audit log files must be owned by root
   file:
     dest: /var/log/audit/