Major Hayden e57593dfd4 Automate the STIG documentation
With the upcoming changes to rebase onto the RHEL 7 STIG controls,
there needs to be a new solution for documentation that is easier
to manage and filter. This patch automates the generation of the STIG
control documentation in the following way:

* A Sphinx extension runs early in the doc build process that writes
  all of the individual STIG control docs as well as ToC pages.
* ToC pages are now sorted by severity, tag, and implementation status.
* A giant listing of controls is easier to navigate now.
* Docs are generated from metadata in the /doc/metadata directory. New
  documentation only needs to be added there. (Will explain this in
  the developer notes in a subsequent patch.)

Implements: blueprint security-rhel7-stig
Change-Id: I455af1121049f52193e98e2c9cb1ba5d4c292386
2016-09-09 14:43:30 +00:00

28 lines
1.0 KiB
ReStructuredText

---
id: V-38468
status: implemented
tag: misc
---
The default configuration for ``disk_full_action`` is ``SUSPEND``, which only
suspends audit logging. Suspending audit logging can lead to security problems
because the system is no longer keeping track of which syscalls were made.
The security role sets the configuration to ``SYSLOG`` so that messages are
sent to syslog when the disk is full. If syslog messages are being sent to
remote servers, these log messages should alert an administrator about the disk
being full. There are additional options available, like ``EXEC``, ``SINGLE``
or ``HALT``.
To configure a different ``disk_full_action``, set the following
Ansible variable:
.. code-block:: yaml
security_disk_full_action: SYSLOG
For details on available settings and what they do, run ``man auditd.conf``.
Some options can cause the host to go offline until the issue is fixed.
Deployers are urged to **carefully read the auditd documentation** prior to
changing the ``disk_full_action`` setting from the default.