Configure auditd mail_acct Action on Low Disk Space
An XCCDF Rule
Description
The auditd
service can be configured to send email to
a designated account in certain situations. Add or correct the following line
in /etc/audit/auditd.conf
to ensure that administrators are notified
via email for those situations:
action_mail_acct =
Rationale
Email sent to the root account is typically aliased to the administrators of the system, who can take appropriate action.
- ID
- xccdf_org.ssgproject.content_rule_auditd_data_retention_action_mail_acct
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ] && rpm --quiet -q audit; then
var_auditd_action_mail_acct='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_auditd_action_mail_acct" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-83698-1
- CJIS-5.4.1.1