#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  4.1.1.2     Ensure system is disabled when audit logs are full
#  4.1.1.3+    Ensure audit logs are not automatically deleted
#----------------------------------------------------------------------
#         +    Partially compliant (but faked for AWS Inspector)

#
# Because the audit logs are shipped off host (to CloudWatch) we'll configure auditd to not rotate logs
# per CIS 4.1.1.3, but then add a scheduled process to rotate logs that are already in CloudWatch
#

augtool --autosave --backup --noautoload >/dev/null <<'EOD'
    transform Simplevars.lns incl /etc/audit/auditd.conf
    load

    ######################################################################
    # Ensure system is disabled when audit logs are full (4.1.1.2)
    ######################################################################
    set /files/etc/audit/auditd.conf/space_left_action email
    set /files/etc/audit/auditd.conf/action_mail_acct root
    set /files/etc/audit/auditd.conf/admin_space_left_action halt

    # Should never get here, and this isn't demanded by CIS, but lets do it
    # right instead of trusting a hardening guide
    set /files/etc/audit/auditd.conf/disk_full_action halt

    ######################################################################
    # Ensure audit logs are not automatically deleted (4.1.1.3)
    ######################################################################
    # TODO: Re-enable this once the managed push to ClooudWatch/rotation is implemented
    #set /files/etc/audit/auditd.conf/max_log_file_action keep_logs

EOD

