Configure auditd mail_acct Action on Low Disk Space

An XCCDF Rule

Description

The auditd service can be configured to send email to a designated account in certain situations. Add or correct the following line in /etc/audit/auditd.conf to ensure that administrators are notified via email for those situations:

action_mail_acct =

Rationale

Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.

ID: xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
Severity: Medium
References: 1 11 12 13 14 15 16 19 2 3 4 5 6 7 8

5.4.1.1

APO11.04 APO12.06 APO13.01 BAI03.05 BAI04.04 BAI08.02 DSS02.02 DSS02.04 DSS02.07 DSS03.01 DSS05.04 DSS05.07 MEA02.01

3.3.1

CCI-000139 CCI-001855

164.312(a)(2)(ii)

4.2.3.10 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.3.4.5.6 4.3.4.5.7 4.3.4.5.8 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1 SR 7.1 SR 7.2

A.12.1.3 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.16.1.4 A.16.1.5 A.16.1.7 A.17.2.1

CIP-003-8 R1.3 CIP-003-8 R3 CIP-003-8 R3.1 CIP-003-8 R3.2 CIP-003-8 R3.3 CIP-003-8 R5.1.1 CIP-003-8 R5.3 CIP-004-6 R2.2.3 CIP-004-6 R2.3 CIP-007-3 R5.1 CIP-007-3 R5.1.2 CIP-007-3 R5.2 CIP-007-3 R5.3.1 CIP-007-3 R5.3.2 CIP-007-3 R5.3.3

AU-5(2) AU-5(a) CM-6(a) IA-5(1)

DE.AE-3 DE.AE-5 PR.DS-4 PR.PT-1 RS.AN-1 RS.AN-4

Req-10.7.a

SRG-OS-000046-GPOS-00022 SRG-OS-000343-GPOS-00134
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && dpkg-query --show --showformat='${db:Status-Status}\n' 'auditd' 2>/dev/null | grep -q installed; then

var_auditd_action_mail_acct='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct" use="legacy"/>'

AUDITCONFIG=/etc/audit/auditd.conf

# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped_key=$(sed 's/[\^=\$,;+]*//g' <<< "^action_mail_acct")

# shellcheck disable=SC2059
printf -v formatted_output "%s = %s" "$stripped_key" "$var_auditd_action_mail_acct"

# If the key exists, change it. Otherwise, add it to the config_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC_ALL=C grep -q -m 1 -i -e "^action_mail_acct\\>" "$AUDITCONFIG"; then
    escaped_formatted_output=$(sed -e 's|/|\\/|g' <<< "$formatted_output")
    LC_ALL=C sed -i --follow-symlinks "s/^action_mail_acct\\>.*/$escaped_formatted_output/gi" "$AUDITCONFIG"
else
    if [[ -s "$AUDITCONFIG" ]] && [[ -n "$(tail -c 1 -- "$AUDITCONFIG" || true)" ]]; then
        LC_ALL=C sed -i --follow-symlinks '$a'\\ "$AUDITCONFIG"
    fi
    printf '%s\n' "$formatted_output" >> "$AUDITCONFIG"
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Configure auditd mail_acct Action on Low Disk Space

Description

Rationale

Remediation - Shell Script