Disable failed access auditd logging

By default, the security role enables audit logging for failed file
accesses. This causes lots of log lines due to the way that rsyslog
looks for existing log files on the system.

This patch disables the auditd rule by default and adds documentation
for deployers so they know how to opt-in to the change.

Release notes are included.

Includes a fix from master to improve the documentation as well:
  https://review.openstack.org/#/c/312103/

Closes-bug: 1577448

Change-Id: I9ce4a208f5b9f28a1f317cb25a8114b902f5cabb
(cherry picked from commit 77b8b456ad)

defaults/main.yml

@@ -71,7 +71,7 @@ auditd_rules:
   DAC_lsetxattr: yes                              # V-38561
   DAC_setxattr: yes                               # V-38565
   deletions: no                                   # V-38575
-  failed_access: yes                              # V-38566
+  failed_access: no                               # V-38566
   filesystem_mounts: yes                          # V-38568
   kernel_modules: yes                             # V-38580
   network_changes: yes                            # V-38540

doc/source/developer-notes/V-38566.rst

@@ -1 +1,12 @@
-Rules are added for auditd to log failed access attempts to files and programs.
+**Exception**
+
+The audit rules for logging failed access attempts can generate significant
+amounts of log traffic in some environments. These rules are disabled by
+default.
+
+To opt-in for this change and enable audit logging for these events, adjust
+the following Ansible variable:
+
+.. code-block:: yaml
+
+    auditd_rules['failed_access']: yes