usg-cisbenchmark: auditd shuts down machine if disk is full but there's no retention set

Rule 4.1.1.1 configures the max audit log file size. After it reaches that size, audit logs get rotated, according to the max_log_file_action parameter (also set by rule 4.1.1.1).

Now, the log from rsyslogd is rotated per /etc/logrotate.d/rsyslog configuration file. That file is provided by the rsyslog package.

So based on those two facts, looks like the suggestions provided by the bug reporter are already in place. If that isn't the case, please provide more information.

Thank you Richard!

Let me check it today and I will update with the details I gather.

The rsyslog logrotete.d only rotates messages in /var/log/, but not under /var/log/audit.
That folder is on a separate partition with size of 2G. That is an issue because when that partition fills up, auditd shuts down the system.

so the default action for the max_log_file_action in CIS scripts is keep_logs and not rotate them.

Ah, ok, so this is in the case where the admin separates /var/log from /var/log/audit in two different partitions, so they don't interfere with each other.

Even in that case, the audit log rotates (see the max_log_file_action description in the auditd.conf man page), since it's set to keep_logs, which has the behavior of rotating logs when they reach the maximum size (set by max_log_file parameter), but DOES NOT delete any log data in the /var/log/audit directory.

You can point that leaving that way will lead to a denial of service if the audit partition fills up and that's correct. The system admin is responsible for taking care of the audit log partition so it doesn't fill up. That's exactly the point of rule 4.1.1.2, so this is working as intended.

In order to help with customers not aware of those consequences, we can add a section explaining the side-effects of some rules to the README document. For that reason, I'm marking this issue as an opinion and adding it to the wishlist.

Actually this could be stated more visibly, that the default configuration eventually will fill up available disk space + the default configuration will automatically just power off the node when partition is full. This renders the system almost unbootable, because during system bootup auditd will issue poweroff much before the login prompt. I think this is worse then acceptable behaviour, regardless that the CIS documentation recommends as such settings.