|
 |
9be3b2 |
From 300e49833b9bb6d459493273a39a8d4ef1fd7291 Mon Sep 17 00:00:00 2001
|
|
|
9be3b2 |
From: Gabriel Becker <ggasparb@redhat.com>
|
|
|
9be3b2 |
Date: Wed, 20 Oct 2021 17:13:46 +0200
|
|
|
9be3b2 |
Subject: [PATCH] Use different path to configure overflow_action in RHEL7/OL7
|
|
|
9be3b2 |
|
|
|
9be3b2 |
The correct path for this option in these OSes is
|
|
|
9be3b2 |
/etc/audisd/audispd.conf.
|
|
|
9be3b2 |
---
|
|
|
9be3b2 |
.../auditd_overflow_action/ansible/shared.yml | 9 ++++++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/bash/shared.sh | 9 ++++++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/oval/shared.xml | 8 +++++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/rule.yml | 10 ++++++++--
|
|
|
9be3b2 |
.../tests/commented_out.fail.sh | 11 ++++++++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/tests/empty.fail.sh | 9 ++++++++-
|
|
|
9be3b2 |
.../tests/file_not_present.fail.sh | 6 +++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/tests/halt.pass.sh | 10 +++++++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/tests/ignore.fail.sh | 10 +++++++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/tests/not_present.fail.sh | 8 +++++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/tests/setup.sh | 9 +++++++--
|
|
|
9be3b2 |
.../auditd_overflow_action/tests/single.pass.sh | 10 +++++++++-
|
|
|
9be3b2 |
.../auditd_overflow_action/tests/syslog.pass.sh | 10 +++++++++-
|
|
|
9be3b2 |
13 files changed, 104 insertions(+), 15 deletions(-)
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
|
|
|
9be3b2 |
index b63c6b40f9c..41fc224ac97 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/ansible/shared.yml
|
|
|
9be3b2 |
@@ -4,9 +4,16 @@
|
|
|
9be3b2 |
# complexity = low
|
|
|
9be3b2 |
# disruption = low
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-{{{ ansible_set_config_file(file="/etc/audit/auditd.conf",
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+ {{%- set auditd_conf_path="/etc/audisp/audispd.conf" %}}
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+ {{%- set auditd_conf_path="/etc/audit/auditd.conf" %}}
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+{{{ ansible_set_config_file(file=auditd_conf_path,
|
|
|
9be3b2 |
parameter="overflow_action",
|
|
|
9be3b2 |
value="syslog",
|
|
|
9be3b2 |
+ create=true,
|
|
|
9be3b2 |
separator=" = ",
|
|
|
9be3b2 |
separator_regex="\s*=\s*",
|
|
|
9be3b2 |
prefix_regex="(?i)^\s*") }}}
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
|
|
|
9be3b2 |
index ec2d5ef0aad..84cb1cc177c 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/bash/shared.sh
|
|
|
9be3b2 |
@@ -4,9 +4,16 @@
|
|
|
9be3b2 |
# complexity = low
|
|
|
9be3b2 |
# disruption = low
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-{{{set_config_file(path="/etc/audit/auditd.conf",
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+ {{%- set auditd_conf_path="/etc/audisp/audispd.conf" %}}
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+ {{%- set auditd_conf_path="/etc/audit/auditd.conf" %}}
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+{{{set_config_file(path=auditd_conf_path,
|
|
|
9be3b2 |
parameter="overflow_action",
|
|
|
9be3b2 |
value="syslog",
|
|
|
9be3b2 |
+ create=true,
|
|
|
9be3b2 |
insensitive=true,
|
|
|
9be3b2 |
separator=" = ",
|
|
|
9be3b2 |
separator_regex="\s*=\s*",
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
|
|
|
9be3b2 |
index 880d01bf725..a07c3112908 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/oval/shared.xml
|
|
|
9be3b2 |
@@ -1,5 +1,11 @@
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+ {{%- set auditd_conf_path="/etc/audisp/audispd.conf" %}}
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+ {{%- set auditd_conf_path="/etc/audit/auditd.conf" %}}
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
{{{ oval_check_config_file(
|
|
|
9be3b2 |
- path="/etc/audit/auditd.conf",
|
|
|
9be3b2 |
+ path=auditd_conf_path,
|
|
|
9be3b2 |
prefix_regex="^[ \\t]*(?i)",
|
|
|
9be3b2 |
parameter="overflow_action",
|
|
|
9be3b2 |
value="(?i)(syslog|single|halt)(?-i)",
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
|
|
|
9be3b2 |
index 7614c56b672..37d52caba2c 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/rule.yml
|
|
|
9be3b2 |
@@ -1,10 +1,16 @@
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+ {{%- set auditd_conf_path="/etc/audisp/audispd.conf" %}}
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+ {{%- set auditd_conf_path="/etc/audit/auditd.conf" %}}
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
documentation_complete: true
|
|
|
9be3b2 |
|
|
|
9be3b2 |
title: Appropriate Action Must be Setup When the Internal Audit Event Queue is Full
|
|
|
9be3b2 |
|
|
|
9be3b2 |
description: |-
|
|
|
9be3b2 |
The audit system should have an action setup in the event the internal event queue becomes full.
|
|
|
9be3b2 |
- To setup an overflow action edit <tt>/etc/audit/auditd.conf</tt>. Set <tt>overflow_action</tt>
|
|
|
9be3b2 |
+ To setup an overflow action edit <tt>{{{ auditd_conf_path }}}</tt>. Set <tt>overflow_action</tt>
|
|
|
9be3b2 |
to one of the following values: <tt>syslog</tt>, <tt>single</tt>, <tt>halt</tt>.
|
|
|
9be3b2 |
|
|
|
9be3b2 |
|
|
|
9be3b2 |
@@ -30,7 +36,7 @@ ocil_clause: 'auditd overflow action is not setup correctly'
|
|
|
9be3b2 |
|
|
|
9be3b2 |
ocil: |-
|
|
|
9be3b2 |
Verify the audit system is configured to take an appropriate action when the internal event queue is full:
|
|
|
9be3b2 |
- $ sudo grep -i overflow_action /etc/audit/auditd.conf
|
|
|
9be3b2 |
+ $ sudo grep -i overflow_action {{{ auditd_conf_path }}}
|
|
|
9be3b2 |
|
|
|
9be3b2 |
The output should contain be like <tt>overflow_action = syslog</tt>
|
|
|
9be3b2 |
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
|
|
|
9be3b2 |
index ec7525b1957..6951d2a7102 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/commented_out.fail.sh
|
|
|
9be3b2 |
@@ -2,4 +2,13 @@
|
|
|
9be3b2 |
# Ensure test system has proper directories/files for test scenario
|
|
|
9be3b2 |
bash -x setup.sh
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-echo "# overflow_action = syslog" >> /etc/audit/auditd.conf
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+# remove any occurrence
|
|
|
9be3b2 |
+sed -i "s/^.*overflow_action.*$//" $config_file
|
|
|
9be3b2 |
+# put commented out occurrence
|
|
|
9be3b2 |
+echo "# overflow_action = syslog" >> "$config_file"
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
|
|
|
9be3b2 |
index e4d173ab379..df38cf0b571 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/empty.fail.sh
|
|
|
9be3b2 |
@@ -1,7 +1,14 @@
|
|
|
9be3b2 |
#!/bin/bash
|
|
|
9be3b2 |
# Ensure test system has proper directories/files for test scenario
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
bash -x setup.sh
|
|
|
9be3b2 |
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
if [[ -f $config_file ]]; then
|
|
|
9be3b2 |
- echo '' > $config_file
|
|
|
9be3b2 |
+ echo '' > ${config_file}
|
|
|
9be3b2 |
fi
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
|
|
|
9be3b2 |
index f26cd7cddff..4edb79f58ea 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/file_not_present.fail.sh
|
|
|
9be3b2 |
@@ -1,6 +1,10 @@
|
|
|
9be3b2 |
#!/bin/bash
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-config_file=/etc/audit/auditd.conf
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
|
|
|
9be3b2 |
if [[ -f $config_file ]]; then
|
|
|
9be3b2 |
rm -f $config_file
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
|
|
|
9be3b2 |
index 0ec591b25b0..71eab1b1bd3 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/halt.pass.sh
|
|
|
9be3b2 |
@@ -2,4 +2,12 @@
|
|
|
9be3b2 |
# Ensure test system has proper directories/files for test scenario
|
|
|
9be3b2 |
bash -x setup.sh
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-echo "overflow_action = halt" >> /etc/audit/auditd.conf
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+# remove any occurrence
|
|
|
9be3b2 |
+sed -i "s/^.*overflow_action.*$//" $config_file
|
|
|
9be3b2 |
+echo "overflow_action = halt" >> $config_file
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
|
|
|
9be3b2 |
index 236ad543fe6..632080044ff 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/ignore.fail.sh
|
|
|
9be3b2 |
@@ -2,4 +2,12 @@
|
|
|
9be3b2 |
# Ensure test system has proper directories/files for test scenario
|
|
|
9be3b2 |
bash -x setup.sh
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-echo "overflow_action = ignore" >> /etc/audit/auditd.conf
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+# remove any occurrence
|
|
|
9be3b2 |
+sed -i "s/^.*overflow_action.*$//" $config_file
|
|
|
9be3b2 |
+echo "overflow_action = ignore" >> $config_file
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
|
|
|
9be3b2 |
index 74efdcafee0..6264758c2a6 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/not_present.fail.sh
|
|
|
9be3b2 |
@@ -1,5 +1,11 @@
|
|
|
9be3b2 |
#!/bin/bash
|
|
|
9be3b2 |
# Ensure test system has proper directories/files for test scenario
|
|
|
9be3b2 |
bash -x setup.sh
|
|
|
9be3b2 |
-config_file=/etc/audit/auditd.conf
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
sed -i "s/^.*overflow_action.*$//" $config_file
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
|
|
|
9be3b2 |
index de11126320a..2e11cb479a4 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/setup.sh
|
|
|
9be3b2 |
@@ -1,9 +1,14 @@
|
|
|
9be3b2 |
#!/bin/bash
|
|
|
9be3b2 |
# Use this script to ensure the audit directory structure and audit conf file
|
|
|
9be3b2 |
# exist in the test env.
|
|
|
9be3b2 |
-config_file=/etc/audit/auditd.conf
|
|
|
9be3b2 |
-
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+# Ensure directory structure exists (useful for container based testing)
|
|
|
9be3b2 |
+test -d /etc/audisp/ || mkdir -p /etc/audisp/
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
# Ensure directory structure exists (useful for container based testing)
|
|
|
9be3b2 |
test -d /etc/audit/ || mkdir -p /etc/audit/
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
|
|
|
9be3b2 |
test -f $config_file || touch $config_file
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
|
|
|
9be3b2 |
index f9fa7a935cb..7cf199ad1bf 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/single.pass.sh
|
|
|
9be3b2 |
@@ -2,4 +2,12 @@
|
|
|
9be3b2 |
# Ensure test system has proper directories/files for test scenario
|
|
|
9be3b2 |
bash -x setup.sh
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-echo "overflow_action = single" >> /etc/audit/auditd.conf
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+# remove any occurrence
|
|
|
9be3b2 |
+sed -i "s/^.*overflow_action.*$//" $config_file
|
|
|
9be3b2 |
+echo "overflow_action = single" >> $config_file
|
|
|
9be3b2 |
diff --git a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
|
|
|
9be3b2 |
index 1c625fb7524..58547c875b0 100644
|
|
|
9be3b2 |
--- a/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
|
|
|
9be3b2 |
+++ b/linux_os/guide/system/auditing/configure_auditd_data_retention/auditd_overflow_action/tests/syslog.pass.sh
|
|
|
9be3b2 |
@@ -2,4 +2,12 @@
|
|
|
9be3b2 |
# Ensure test system has proper directories/files for test scenario
|
|
|
9be3b2 |
bash -x setup.sh
|
|
|
9be3b2 |
|
|
|
9be3b2 |
-echo "overflow_action = syslog" >> /etc/audit/auditd.conf
|
|
|
9be3b2 |
+{{%- if product in ["rhel7", "ol7"] %}}
|
|
|
9be3b2 |
+config_file="/etc/audisp/audispd.conf"
|
|
|
9be3b2 |
+{{%- else %}}
|
|
|
9be3b2 |
+config_file="/etc/audit/auditd.conf"
|
|
|
9be3b2 |
+{{%- endif %}}
|
|
|
9be3b2 |
+
|
|
|
9be3b2 |
+# remove any occurrence
|
|
|
9be3b2 |
+sed -i "s/^.*overflow_action.*$//" $config_file
|
|
|
9be3b2 |
+echo "overflow_action = syslog" >> $config_file
|