From 9f3921a6506b7ae46acc9846059d8da7a1dd6dce Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Tue, 6 Dec 2016 09:49:50 -0600
Subject: [PATCH] Set space_left_action in auditd [+Docs]

This patch configures auditd to send emails to the administrator when the
`space_left` threshold is reached. Deployers can customize this setting if
needed.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: I93673193b74dacb3def92b761b315eabd41cea41
---
 defaults/main.yml                     |  4 ++++
 doc/metadata/rhel7/RHEL-07-030351.rst | 15 ++++++++++++---
 vars/common.yml                       |  4 +++-
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 94d364cc..054bca2e 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -396,6 +396,10 @@ security_rhel7_auditd_disk_full_action: syslog               # RHEL-07-030340
 security_rhel7_auditd_network_failure_action: syslog         # RHEL-07-030340
 # Size of remaining disk space (in MB) that triggers alerts.
 security_rhel7_auditd_space_left: "{{ (ansible_mounts | selectattr('mount', 'equalto', '/') | map(attribute='size_total') | first * 0.25 / 1024 / 1024) | int }}" # RHEL-07-030350
+# Action to take when the space_left threshold is reached.
+security_rhel7_auditd_space_left_action: email               # RHEL-07-030351
+# Send auditd email alerts to this user.
+security_rhel7_auditd_action_mail_acct: root                 # RHEL-07-030352
 # Add audit rules for commands/syscalls.
 security_rhel7_audit_chsh: yes                               # RHEL-07-030525
 security_rhel7_audit_chage: yes                              # RHEL-07-030513
diff --git a/doc/metadata/rhel7/RHEL-07-030351.rst b/doc/metadata/rhel7/RHEL-07-030351.rst
index 05dc948a..dfd6eb3d 100644
--- a/doc/metadata/rhel7/RHEL-07-030351.rst
+++ b/doc/metadata/rhel7/RHEL-07-030351.rst
@@ -1,7 +1,16 @@
 ---
 id: RHEL-07-030351
-status: not implemented
-tag: misc
+status: implemented
+tag: auditd
 ---
 
-This STIG requirement is not yet implemented.
+The ``space_left_action`` in the audit daemon configuration is set to
+``email``. This configuration causes the root user to receive an email when the
+``space_left`` threshold is reached.
+
+Deployers can customize this configuration by setting the following Ansible
+variable:
+
+.. code-block:: yaml
+
+    security_rhel7_auditd_space_left_action: email
diff --git a/vars/common.yml b/vars/common.yml
index cf7a63dc..202f7184 100644
--- a/vars/common.yml
+++ b/vars/common.yml
@@ -31,7 +31,9 @@ auditd_config:
   - parameter: space_left
     value: "{{ security_rhel7_auditd_space_left }}"
     config: /etc/audit/auditd.conf
-
+  - parameter: space_left_action
+    value: "{{ security_rhel7_auditd_space_left_action }}"
+    config: /etc/audit/auditd.conf
 
 ## auditd rules
 # This variable is used in tasks/rhel7stig/auditd.yml to deploy auditd rules