From 2b9a1cce25b3266111b198eb18b83d6800ca1483 Mon Sep 17 00:00:00 2001
From: Major Hayden <major@mhtx.net>
Date: Fri, 9 Oct 2015 15:55:56 -0500
Subject: [PATCH] V-53481: Auditd disk space + single-user mode

Implements: blueprint security-hardening

Change-Id: I3839996608f8b5e7805e0a313c625238a4644868
---
 defaults/main.yml                      |  7 +++++++
 doc/source/developer-notes/V-54381.rst | 17 +++++++++++++++++
 tasks/auditd.yml                       | 12 ++++++++++++
 3 files changed, 36 insertions(+)
 create mode 100644 doc/source/developer-notes/V-54381.rst

diff --git a/defaults/main.yml b/defaults/main.yml
index 4a90cd8a..94d2913c 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -147,6 +147,13 @@ max_log_file_action: ROTATE                       # V-38634
 # Set the number of rotated audit logs to keep.  Ubuntu has 5 as the default
 # and this matches the STIG's requirements.
 num_logs: 5                                       # V-38636
+# **IMMINENT DANGER**
+# The STIG says that the system should switch to single user mode when the
+# storage capacity gets very low. This can cause serious service disruptions
+# and should only be set to 'single' for deployers in extremely high security
+# environments. Ubuntu's default is SUSPEND, which will suspend logging.
+# **IMMENENT DANGER**
+admin_space_left_action: SUSPEND                  # V-54381
 
 ## Authentication
 # V-38475 - There is no password length requirement by default in Ubuntu
diff --git a/doc/source/developer-notes/V-54381.rst b/doc/source/developer-notes/V-54381.rst
new file mode 100644
index 00000000..115af033
--- /dev/null
+++ b/doc/source/developer-notes/V-54381.rst
@@ -0,0 +1,17 @@
+**Exception**
+
+The STIG requires that the audit system must switch the entire system into
+single-user mode when the space for logging becomes dangerously low.
+
+**This will cause serious service disruptions for any environment and should
+only be enabled for extremely high security environments.**
+
+Ubuntu sets ``admin_space_left_action`` to ``SUSPEND`` by default, and this
+will cause logging to be temporarily suspended until disk space is freed.
+
+For extremely high security environments, this Ansible variable can be
+provided to meet the requirements of the STIG:
+
+.. code-block:: yaml
+
+    admin_space_left_action: SINGLE
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index c1fe2859..e2970056 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -150,3 +150,15 @@
     - auditd
     - cat3
     - V-38471
+
+- name: V-54381 - The audit system must switch to single user mode when disk space is low
+  lineinfile:
+    dest: /etc/audit/auditd.conf
+    regexp: "^(#)?admin_space_left_action"
+    line: "admin_space_left_action = {{ admin_space_left_action }}"
+  notify:
+    - restart auditd
+  tags:
+    - auditd
+    - cat2
+    - V-54381