Bug 972463

Summary: The audit system must alert designated staff members when the audit storage volume approaches capacity,
Product: Red Hat Enterprise Linux 6 Reporter: Jason Pyeron <jpyeron>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.6CC: jason.j.pyeron.ctr, jrieden
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-06-10 00:59:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 972523    
Attachments:
Description Flags
RHEL-06-000005
none
specfile patch none

Description Jason Pyeron 2013-06-09 15:31:31 UTC 
Created attachment 758822 [details]
RHEL-06-000005

Description of problem:

The default configuration is not conforming to best practices. The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) v1.2 published by the Defense Information Systems Agency recommends the changes in the attached patch.

Version-Release number of selected component (if applicable):

http://ftp.redhat.com/pub/redhat/linux/enterprise/6Server/en/os/SRPMS/audit-2.2-2.el6.src.rpm

How reproducible:

Always

Steps to Reproduce:

perform a yum install

Actual results:

# grep space_left_action /etc/audit/auditd.conf
space_left_action = SYSLOG
admin_space_left_action = SUSPEND

Expected results:

# grep space_left_action /etc/audit/auditd.conf
space_left_action = email

Additional info:

see: http://iase.disa.mil/stigs/os/unix/red_hat.html
Comment 1 Jason Pyeron 2013-06-09 15:33:29 UTC 
Created attachment 758823 [details]
specfile patch
Comment 3 Steve Grubb 2013-06-09 18:11:09 UTC 
I don't think we want to apply a patch like this. The problem is that not everyone wants an email alert. Some like it in syslog where a log scanner picks it out. Other people like to add a script where they can send a snmp trap. Others may want it to email to a specific account besides root. So, the default setting is really aimed at not to be annoying since not everyone uses the audit system to its fullest extent.
Comment 4 Steve Grubb 2013-06-10 00:59:25 UTC 
I'm closing this. Its not a good default for everyone. It may be a good setting for some people, but not everyone.