RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1650670 - Allow space left in auditd.conf to be expressed as a percentage
Summary: Allow space left in auditd.conf to be expressed as a percentage
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.5
Hardware: Unspecified
OS: Unspecified
low
unspecified
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-16 19:33 UTC by Randall Wood
Modified: 2019-08-06 13:03 UTC (History)
3 users (show)

Fixed In Version: audit-2.8.5-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-08-06 13:03:45 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2191 0 None None None 2019-08-06 13:03:53 UTC

Description Randall Wood 2018-11-16 19:33:40 UTC 
Description of problem:

CNSSI 1253 Appendix F, Attachment 3 [details] (the Cross Domain Solutions Overlay)[1] has the following requirements for notification of audit record storage capacity:

> (U) AU-5(1), Response to Audit Processing Failures | Audit Storage Capacity
>
> (U) Parameter Value for Access, Transfer, and Multilevel: The information
> system provides a warning to the CDS System Administrator and/or Security
> Administrator, at a minimum, within seconds when allocated audit record
> storage volume reaches 75% and continues to notify at 80%, 90%, 95%, 98% and
> 99% of repository maximum audit record storage capacity.

For installations at customer sites, with customer provided hardware, Forcepoint engineers modify etc/audit/auditd.conf by hand to set the "space_left" and "admin_space_left" values to match the correct values based on partition size for 25% and 1% respectively, which partially meets the guidance.

Can the following changes be made to allow a configuration that completely meets the guidance?

- accept a percentage value (ex: 25%) as well as fixed size in MB for both "space_left" and "admin_space_left" in auditd.conf

- allow a comma separated list "space_left" so that the "space_left_action" can be taken on each of those values?

We are seeing this inability to configure auditd to match this guidance in RHEL 6, RHEL 7, Fedora 29, and presume RHEL 8 Beta (untested) is also unable to be so configured.

[1]: Full document is at https://www.cnss.gov/CNSS/issuances/Instructions.cfm but available only for holders of US Government CAC or PIV cards.
Comment 2 Steve Grubb 2018-11-21 17:22:30 UTC 
This control is part of the NIST 800-53 rev4:
https://nvd.nist.gov/800-53/Rev4/control/AU-5

RESPONSE TO AUDIT PROCESSING FAILURES | AUDIT STORAGE CAPACITY
The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.

Auditd meets that.

What is being asked for is not a requirement specified by the NIST risk management framework nor specified in Common Criteria. Which leads to a question of does any platform support something like this? How is this met on Windows for example? Thanks.
Comment 3 Randall Wood 2018-11-21 18:06:27 UTC 
The requirement being asked for is in the document "Committee on National Security Systems Instruction (CNSSI) 1253 Appendix 3: Cross Domain Solution (CDS) Overlays". CNSSI 1253 is at https://www.cnss.gov/CNSS/issuances/Instructions.cfm (the design of that site is such that individual documents cannot be linked against).

To my knowledge, the Windows operating system is not considered secure enough to be allowed to be used as a CDS by the US Government, so this requirement would not be levied against that OS. Also to my knowledge, the only OS in active development that is used as a CDS by the US Government is derived from Red Hat Enterprise Linux (Solaris with Trusted Extensions has also been used, but every CDS I am aware of is migrating off that to Red Hat Enterprise Linux).
Comment 4 Steve Grubb 2018-11-21 21:20:29 UTC 
OK. Fair enough. My first thoughts are that this is a general problem (disk capacity) and not specifically an audit problem. I'll dig into this a bit more.
Comment 5 Steve Grubb 2018-11-30 16:33:26 UTC 
Ok. I have done a little research on this. On the Microsoft side, it looks like this kind of alerting is done by their performance monitoring tools. On RHEL, the equivalent is the Performance Co-Pilot. 

Some basic RHEL documentation that describes it is here:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/performance_tuning_guide/s-analyzeperf-pcp

Better upstream documentation is here:
https://pcp.io/documentation.html

In particular, there is the pmie service. 
https://pcp.io/man/man1/pmie.1.html

and example rules such as this:
https://github.com/performancecopilot/pcp/blob/master/src/pmie/examples/disk.20

which shows how to do alerts on disk fullness. This is a general solution for any disk capacity problems. You may also find its ability to alert on other problems useful.
Comment 6 Randall Wood 2018-12-04 18:12:21 UTC 
Thank you for the guidance regarding how to configure PCP for this.

Can we at least consider allowing a percentage for the "space_left" and "admin_space_left" in auditd.conf since the NIST guidance is "organization-defined percentage"?
Comment 7 Steve Grubb 2018-12-04 18:51:06 UTC 
Yes, I think it wouldn't be too hard scan the string for % and if found then do the math and place that into the parameter instead. I'll see if I can add this to the upcoming 2.8.5 release.
Comment 8 Steve Grubb 2018-12-06 23:18:35 UTC 
Changing the name of this report to better reflect what the ask is.
Comment 9 Steve Grubb 2018-12-18 17:22:52 UTC 
This feature was added to upstream git repo as commit 58005af.
Comment 10 Steve Grubb 2019-03-05 18:04:53 UTC 
audit-2.8.5-1.el7 was built to address this issue.
Comment 14 errata-xmlrpc 2019-08-06 13:03:45 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2191
Note You need to log in before you can comment on or make changes to this bug.