Bug 1650670 - Allow space left in auditd.conf to be expressed as a percentage
Summary: Allow space left in auditd.conf to be expressed as a percentage
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: audit
Version: 7.5
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Steve Grubb
QA Contact: Ondrej Moriš
Depends On:
TreeView+ depends on / blocked
Reported: 2018-11-16 19:33 UTC by Randall Wood
Modified: 2019-08-06 13:03 UTC (History)
3 users (show)

Fixed In Version: audit-2.8.5-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-06 13:03:45 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:2191 0 None None None 2019-08-06 13:03:53 UTC

Description Randall Wood 2018-11-16 19:33:40 UTC
Description of problem:

CNSSI 1253 Appendix F, Attachment 3 [details] (the Cross Domain Solutions Overlay)[1] has the following requirements for notification of audit record storage capacity:

> (U) AU-5(1), Response to Audit Processing Failures | Audit Storage Capacity
> (U) Parameter Value for Access, Transfer, and Multilevel: The information
> system provides a warning to the CDS System Administrator and/or Security
> Administrator, at a minimum, within seconds when allocated audit record
> storage volume reaches 75% and continues to notify at 80%, 90%, 95%, 98% and
> 99% of repository maximum audit record storage capacity.

For installations at customer sites, with customer provided hardware, Forcepoint engineers modify etc/audit/auditd.conf by hand to set the "space_left" and "admin_space_left" values to match the correct values based on partition size for 25% and 1% respectively, which partially meets the guidance.

Can the following changes be made to allow a configuration that completely meets the guidance?

- accept a percentage value (ex: 25%) as well as fixed size in MB for both "space_left" and "admin_space_left" in auditd.conf

- allow a comma separated list "space_left" so that the "space_left_action" can be taken on each of those values?

We are seeing this inability to configure auditd to match this guidance in RHEL 6, RHEL 7, Fedora 29, and presume RHEL 8 Beta (untested) is also unable to be so configured.

[1]: Full document is at https://www.cnss.gov/CNSS/issuances/Instructions.cfm but available only for holders of US Government CAC or PIV cards.

Comment 2 Steve Grubb 2018-11-21 17:22:30 UTC
This control is part of the NIST 800-53 rev4:

The information system provides a warning to [Assignment: organization-defined personnel, roles, and/or locations] within [Assignment: organization-defined time period] when allocated audit record storage volume reaches [Assignment: organization-defined percentage] of repository maximum audit record storage capacity.

Auditd meets that.

What is being asked for is not a requirement specified by the NIST risk management framework nor specified in Common Criteria. Which leads to a question of does any platform support something like this? How is this met on Windows for example? Thanks.

Comment 3 Randall Wood 2018-11-21 18:06:27 UTC
The requirement being asked for is in the document "Committee on National Security Systems Instruction (CNSSI) 1253 Appendix 3: Cross Domain Solution (CDS) Overlays". CNSSI 1253 is at https://www.cnss.gov/CNSS/issuances/Instructions.cfm (the design of that site is such that individual documents cannot be linked against).

To my knowledge, the Windows operating system is not considered secure enough to be allowed to be used as a CDS by the US Government, so this requirement would not be levied against that OS. Also to my knowledge, the only OS in active development that is used as a CDS by the US Government is derived from Red Hat Enterprise Linux (Solaris with Trusted Extensions has also been used, but every CDS I am aware of is migrating off that to Red Hat Enterprise Linux).

Comment 4 Steve Grubb 2018-11-21 21:20:29 UTC
OK. Fair enough. My first thoughts are that this is a general problem (disk capacity) and not specifically an audit problem. I'll dig into this a bit more.

Comment 5 Steve Grubb 2018-11-30 16:33:26 UTC
Ok. I have done a little research on this. On the Microsoft side, it looks like this kind of alerting is done by their performance monitoring tools. On RHEL, the equivalent is the Performance Co-Pilot. 

Some basic RHEL documentation that describes it is here:

Better upstream documentation is here:

In particular, there is the pmie service. 

and example rules such as this:

which shows how to do alerts on disk fullness. This is a general solution for any disk capacity problems. You may also find its ability to alert on other problems useful.

Comment 6 Randall Wood 2018-12-04 18:12:21 UTC
Thank you for the guidance regarding how to configure PCP for this.

Can we at least consider allowing a percentage for the "space_left" and "admin_space_left" in auditd.conf since the NIST guidance is "organization-defined percentage"?

Comment 7 Steve Grubb 2018-12-04 18:51:06 UTC
Yes, I think it wouldn't be too hard scan the string for % and if found then do the math and place that into the parameter instead. I'll see if I can add this to the upcoming 2.8.5 release.

Comment 8 Steve Grubb 2018-12-06 23:18:35 UTC
Changing the name of this report to better reflect what the ask is.

Comment 9 Steve Grubb 2018-12-18 17:22:52 UTC
This feature was added to upstream git repo as commit 58005af.

Comment 10 Steve Grubb 2019-03-05 18:04:53 UTC
audit-2.8.5-1.el7 was built to address this issue.

Comment 14 errata-xmlrpc 2019-08-06 13:03:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.