From 1d96539637f3a395985c4fc5ee4d2177b8b7650d Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 14 Oct 2022 12:29:06 +0100
Subject: [PATCH] Exentsion to auditd

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml               |  7 +++++++
 tasks/section_4/cis_4.1.2.x.yml | 16 ++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 24ca2e7..2cbbbc8 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -508,6 +508,13 @@ update_audit_template: false
 ## Advanced option found in auditd post
 allow_auditd_uid_user_exclusions: false
 
+
+# This can be used to configure other keys in auditd.conf
+rhel9cis_auditd_extra_conf: {}
+# Example:
+# rhel9cis_auditd_extra_conf:
+#     admin_space_left: '10%'
+
 ## Preferred method of logging
 ## Whether rsyslog or journald preferred method for local logging
 ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml
index 0eec0b2..a3ab990 100644
--- a/tasks/section_4/cis_4.1.2.x.yml
+++ b/tasks/section_4/cis_4.1.2.x.yml
@@ -51,3 +51,19 @@
       - patch
       - auditd
       - rule_4.1.2.3
+
+- name: PATCH | Configure other keys for auditd.conf
+  lineinfile:
+      path: /etc/audit/auditd.conf
+      regexp: "^{{ item }}( |=)"
+      line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}"
+  loop: "{{ rhel9cis_auditd_extra_conf.keys() }}"
+  notify: restart auditd
+  when:
+    - rhel9cis_auditd_extra_conf.keys() | length > 0
+  tags:
+      - level2-server
+      - level2-workstation
+      - automated
+      - patch
+      - auditd