Make max_log_file_action for auditd configurable (#246)

* Make max_log_file_action for auditd configurable

This commit allows to configure the max_log_file_action auf auditd to
avoid filling small /var/log partitions for systems that create many
audit log entries. Or run for a long period of time.

Signed-off-by: Jan Dittberner <jan.dittberner@t-systems.com>

* Add os_auditd_max_log_file_action to README

Signed-off-by: Jan Dittberner <jan.dittberner@t-systems.com>

README.md

@@ -78,6 +78,7 @@ If you're using Docker / Kubernetes+Docker you'll need to override the ipv4 ip f
 | `ufw_default_output_policy` | ACCEPT | set default output policy of ufw to `ACCEPT` |
 | `ufw_default_forward_policy` | DROP | set default forward policy of ufw to `DROP` |
 | `os_auditd_enabled` | true | Set to false to disable installing and configuring auditd. |
+| `os_auditd_max_log_file_action` | `keep_logs` | Defines the behaviour of auditd when its log file is filled up. Possible other values are described in the auditd.conf man page. The most common alternative to the default may be `rotate`. |
 
 ## Packages
 

defaults/main.yml

@@ -250,6 +250,7 @@ os_hardening_enabled: true
 
 # Set to false to disable installing and configuring auditd.
 os_auditd_enabled: true
+os_auditd_max_log_file_action: keep_logs
 
 # Set the SELinux state, can be either disabled, permissive, or enforcing.
 os_selinux_state: enforcing

templates/etc/audit/auditd.conf.j2

@@ -10,7 +10,7 @@ dispatcher = /sbin/audispd
 name_format = NONE
 ##name = mydomain
 max_log_file = 6
-max_log_file_action = keep_logs
+max_log_file_action = {{ os_auditd_max_log_file_action }}
 space_left = 75
 space_left_action = SYSLOG
 action_mail_acct = root