diff --git a/roles/os_hardening/README.md b/roles/os_hardening/README.md index 5efff5bb1..e0feed68d 100644 --- a/roles/os_hardening/README.md +++ b/roles/os_hardening/README.md @@ -175,6 +175,9 @@ We know that this is the case on Raspberry Pi. - `os_auditd_max_log_file_action` - Default: `keep_logs` - Description: Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. +- `os_auditd_max_log_file` + - Default: `6` + - Description: This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. Useful in combination with `os_auditd_max_log_file_action` set to `rotate`. The value given must be numeric. - `hidepid_option` - Default: `2` (on RHEL/CentOS7 `0`, see known limitations) - Description: `0`: This is the default setting and gives you the default behaviour. `1`: With this option an normal user would not see other processes but their own about ps, top etc, but he is still able to see process IDs in /proc. `2`: Users are only able too see their own processes (like with hidepid=1), but also the other process IDs are hidden for them in /proc. diff --git a/roles/os_hardening/defaults/main.yml b/roles/os_hardening/defaults/main.yml index fd928a873..1ce9228a6 100644 --- a/roles/os_hardening/defaults/main.yml +++ b/roles/os_hardening/defaults/main.yml @@ -273,6 +273,7 @@ os_hardening_enabled: true # Set to false to disable installing and configuring auditd. os_auditd_enabled: true +os_auditd_max_log_file: 6 os_auditd_max_log_file_action: keep_logs # Set the SELinux state, can be either disabled, permissive, or enforcing. diff --git a/roles/os_hardening/templates/etc/audit/auditd.conf.j2 b/roles/os_hardening/templates/etc/audit/auditd.conf.j2 index b65d03a17..68cf83acf 100644 --- a/roles/os_hardening/templates/etc/audit/auditd.conf.j2 +++ b/roles/os_hardening/templates/etc/audit/auditd.conf.j2 @@ -11,7 +11,7 @@ disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain -max_log_file = 6 +max_log_file = {{ os_auditd_max_log_file }} max_log_file_action = {{ os_auditd_max_log_file_action }} space_left = 75 space_left_action = SYSLOG