From 88ffe32137c841e4c1d63f9d7020aaa81026edc3 Mon Sep 17 00:00:00 2001
From: Ionut Pruteanu <ionut.pruteanu@siemens.com>
Date: Wed, 20 Dec 2023 21:58:49 +0200
Subject: [PATCH 1/2] Storing max_log_file under `rhel9cis_auditd` dict
 variable.

Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>
---
 defaults/main.yml               | 11 ++---------
 tasks/section_4/cis_4.1.2.x.yml |  2 +-
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 0bc0137..39d8691 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -525,26 +525,19 @@ rhel9cis_auditd:
     space_left_action: email
     action_mail_acct: root
     admin_space_left_action: halt
+    # The max_log_file parameter should be based on your sites policy.
+    max_log_file: 10
     max_log_file_action: keep_logs
 
 # The audit_back_log_limit value should never be below 8192
 rhel9cis_audit_back_log_limit: 8192
 
-# The max_log_file parameter should be based on your sites policy
-rhel9cis_max_log_file_size: 10
-
 ### 4.1.3.x audit template
 update_audit_template: false
 
 ## Advanced option found in auditd post
 rhel9cis_allow_auditd_uid_user_exclusions: false
 
-# This can be used to configure other keys in auditd.conf
-rhel9cis_auditd_extra_conf: {}
-# Example:
-# rhel9cis_auditd_extra_conf:
-#     admin_space_left: '10%'
-
 ## Preferred method of logging
 ## Whether rsyslog or journald preferred method for local logging
 ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml
index b830b1f..f235493 100644
--- a/tasks/section_4/cis_4.1.2.x.yml
+++ b/tasks/section_4/cis_4.1.2.x.yml
@@ -4,7 +4,7 @@
   ansible.builtin.lineinfile:
       path: /etc/audit/auditd.conf
       regexp: "^max_log_file( |=)"
-      line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
+      line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}"
   notify: Restart auditd
   when:
       - rhel9cis_rule_4_1_2_1

From ca41b128cd895410dab925c4db7694ce24ef7907 Mon Sep 17 00:00:00 2001
From: Ionut Pruteanu <ionut.pruteanu@siemens.com>
Date: Wed, 20 Dec 2023 22:21:14 +0200
Subject: [PATCH 2/2] Defining some threshold for (audit_)space_left vars, as
 well as a bool which governs if extra params will be configured

Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>
---
 defaults/main.yml               | 11 +++++++++++
 tasks/section_4/cis_4.1.2.x.yml |  1 +
 2 files changed, 12 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 39d8691..58c84d7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -529,6 +529,17 @@ rhel9cis_auditd:
     max_log_file: 10
     max_log_file_action: keep_logs
 
+# This value governs if the below extra-vars for auditd should be used by the role
+rhel9cis_auditd_extra_conf_usage: false
+
+# This can be used to configure other keys in auditd.conf
+# Example:
+# rhel9cis_auditd_extra_conf:
+#     admin_space_left: '10%'
+rhel9cis_auditd_extra_conf:
+    admin_space_left: 50
+    space_left: 75
+
 # The audit_back_log_limit value should never be below 8192
 rhel9cis_audit_back_log_limit: 8192
 
diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml
index f235493..8370114 100644
--- a/tasks/section_4/cis_4.1.2.x.yml
+++ b/tasks/section_4/cis_4.1.2.x.yml
@@ -58,6 +58,7 @@
   notify: Restart auditd
   when:
       - rhel9cis_auditd_extra_conf.keys() | length > 0
+      - rhel9cis_auditd_extra_conf_usage
   tags:
       - level2-server
       - level2-workstation