27 lines
963 B
ReStructuredText
27 lines
963 B
ReStructuredText
---
|
|
id: V-38464
|
|
status: implemented
|
|
tag: misc
|
|
---
|
|
|
|
The default configuration for ``disk_error_action`` is ``SUSPEND``, which
|
|
only suspends audit logging when there is a disk error on the system.
|
|
Suspending audit logging can lead to security problems because the system is no
|
|
longer keeping track of which syscalls were made.
|
|
|
|
The security role sets the configuration to ``SYSLOG`` so that messages are
|
|
sent to syslog when disk errors occur. There are additional options available,
|
|
like ``EXEC``, ``SINGLE`` or ``HALT``.
|
|
|
|
To configure a different ``disk_error_action``, set the following Ansible
|
|
variable:
|
|
|
|
.. code-block:: yaml
|
|
|
|
security_disk_error_action: SYSLOG
|
|
|
|
For details on available settings and what they do, run ``man auditd.conf``.
|
|
Some options can cause the host to go offline until the issue is fixed.
|
|
Deployers are urged to **carefully read the auditd documentation** prior to
|
|
changing the ``security_disk_error_action`` setting from the default.
|