Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 972463 - The audit system must alert designated staff members when the audit storage volume approaches capacity,
The audit system must alert designated staff members when the audit storage v...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: audit (Show other bugs)
All Linux
unspecified Severity high
: rc
: ---
Assigned To: Steve Grubb
BaseOS QE Security Team
Depends On:
Blocks: 972523
  Show dependency treegraph
Reported: 2013-06-09 11:31 EDT by Jason Pyeron
Modified: 2013-06-10 17:38 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-06-09 20:59:25 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
RHEL-06-000005 (349 bytes, patch)
2013-06-09 11:31 EDT, Jason Pyeron
no flags Details | Diff
specfile patch (1.18 KB, patch)
2013-06-09 11:33 EDT, Jason Pyeron
no flags Details | Diff

  None (edit)
Description Jason Pyeron 2013-06-09 11:31:31 EDT
Created attachment 758822 [details]

Description of problem:

The default configuration is not conforming to best practices. The Red Hat Enterprise Linux 6 Security Technical Implementation Guide (STIG) v1.2 published by the Defense Information Systems Agency recommends the changes in the attached patch.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

perform a yum install

Actual results:

# grep space_left_action /etc/audit/auditd.conf
space_left_action = SYSLOG
admin_space_left_action = SUSPEND

Expected results:

# grep space_left_action /etc/audit/auditd.conf
space_left_action = email

Additional info:

see: http://iase.disa.mil/stigs/os/unix/red_hat.html
Comment 1 Jason Pyeron 2013-06-09 11:33:29 EDT
Created attachment 758823 [details]
specfile patch
Comment 3 Steve Grubb 2013-06-09 14:11:09 EDT
I don't think we want to apply a patch like this. The problem is that not everyone wants an email alert. Some like it in syslog where a log scanner picks it out. Other people like to add a script where they can send a snmp trap. Others may want it to email to a specific account besides root. So, the default setting is really aimed at not to be annoying since not everyone uses the audit system to its fullest extent.
Comment 4 Steve Grubb 2013-06-09 20:59:25 EDT
I'm closing this. Its not a good default for everyone. It may be a good setting for some people, but not everyone.

Note You need to log in before you can comment on or make changes to this bug.