RHEL9-CIS/tasks/section_6/cis_6.3.3.x.yml

---

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
  when: rhel9cis_rule_6_3_3_1
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.1
    - NIST800-53R5_AU-3
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged"
  when: rhel9cis_rule_6_3_3_2
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.2
    - NIST800-53R5_AU-3
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
  when: rhel9cis_rule_6_3_3_3
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.3
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected"
  when: rhel9cis_rule_6_3_3_4
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.4
    - NIST800-53R5_AU-3
    - NIST800-53R5_CM-6
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
  when: rhel9cis_rule_6_3_3_5
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.5
    - NIST800-53R5_AU-3
    - NIST800-53R5_CM-6
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
  when: rhel9cis_rule_6_3_3_6
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.6
    - NIST800-53R5_AU-3
  block:
    - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
      ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_priv_procs

    - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
      ansible.builtin.set_fact:
        update_audit_template: true
      notify: update auditd

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected"
  when: rhel9cis_rule_6_3_3_7
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.7
    - NIST800-53R5_AU-3
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected"
  when: rhel9cis_rule_6_3_3_8
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.8
    - NIST800-53R5_AU-3
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
  when: rhel9cis_rule_6_3_3_9
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.9
    - NIST800-53R5_AU-3
    - NIST800-53R5_CM-6
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected"
  when: rhel9cis_rule_6_3_3_10
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.10
    - NIST800-53R5_CM-6
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.11 | PATCH | Ensure session initiation information is collected"
  when: rhel9cis_rule_6_3_3_11
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.11
    - NIST800-53R5_AU-3
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.12 | PATCH | Ensure login and logout events are collected"
  when: rhel9cis_rule_6_3_3_12
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.12
    - NIST800-53R5_AU-3
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected"
  when: rhel9cis_rule_6_3_3_13
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.13
    - NIST800-53R5_AU-12
    - NIST800-53R5_SC-7
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
  when: rhel9cis_rule_6_3_3_14
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.14
    - NIST800-53R5_AU-3
    - NIST800-53R5_CM-6
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
  when: rhel9cis_rule_6_3_3_15
  tags:
    - level2-server
    - level2- workstation
    - patch
    - auditd
    - rule_6.3.3.15
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
  when: rhel9cis_rule_6_3_3_16
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.16
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
  when: rhel9cis_rule_6_3_3_17
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.17
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
  when: rhel9cis_rule_6_3_3_18
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.18
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
  when: rhel9cis_rule_6_3_3_19
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.19
    - NIST800-53R5_AU-3
    - NIST800-53R5_CM-6
  ansible.builtin.set_fact:
    update_audit_template: true

# All changes selected are managed by the POST audit and handlers to update
- name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable"
  when: rhel9cis_rule_6_3_3_20
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.3.20
    - NIST800-53R5_AC-3
    - NIST800-53R5_AU-3
    - NIST800-53R5_MP-2
  ansible.builtin.set_fact:
    update_audit_template: true

- name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
  when: rhel9cis_rule_6_3_3_21
  tags:
    - level2-server
    - level2-workstation
    - manual
    - patch
    - auditd
    - rule_6.3.3.21
    - NIST800-53R5_AU-3
  ansible.builtin.debug:
    msg:
      - "Please run augenrules --load if you suspect there is a configuration that is not active"

- name: Auditd | 6.3.3.x | Auditd controls updated
  when: update_audit_template
  ansible.builtin.debug:
    msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
  changed_when: false
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`---`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.1 \| PATCH \| Ensure changes to system administration scope (sudoers) is collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_1`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.1`
			`- NIST800-53R5_AU-3`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.2 \| PATCH \| Ensure actions as another user are always logged"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_2`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.2`
			`- NIST800-53R5_AU-3`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.3 \| PATCH \| Ensure events that modify the sudo log file are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_3`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.3`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.4 \| PATCH \| Ensure events that modify date and time information are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_4`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.4`
			`- NIST800-53R5_AU-3`
			`- NIST800-53R5_CM-6`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.5 \| PATCH \| Ensure events that modify the system's network environment are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_5`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.5`
			`- NIST800-53R5_AU-3`
			`- NIST800-53R5_CM-6`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.6 \| PATCH \| Ensure use of privileged commands is collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_6`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.6`
			`- NIST800-53R5_AU-3`
			`block:`
			`- name: "6.3.3.6 \| PATCH \| Ensure use of privileged commands is collected"`
			`ansible.builtin.shell: for i in $(df \| grep '^/dev' \| awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done`
			`changed_when: false`
			`failed_when: false`
			`check_mode: false`
lint and var renaming Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-11-04 18:39:01 +00:00			`register: discovered_priv_procs`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00
			`- name: "6.3.3.6 \| PATCH \| Ensure use of privileged commands is collected"`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`
			`notify: update auditd`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.7 \| PATCH \| Ensure unsuccessful file access attempts are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_7`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.7`
			`- NIST800-53R5_AU-3`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.8 \| PATCH \| Ensure events that modify user/group information are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_8`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.8`
			`- NIST800-53R5_AU-3`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.9 \| PATCH \| Ensure discretionary access control permission modification events are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_9`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.9`
			`- NIST800-53R5_AU-3`
			`- NIST800-53R5_CM-6`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.10 \| PATCH \| Ensure successful file system mounts are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_10`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.10`
			`- NIST800-53R5_CM-6`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.11 \| PATCH \| Ensure session initiation information is collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_11`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.11`
			`- NIST800-53R5_AU-3`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.12 \| PATCH \| Ensure login and logout events are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_12`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.12`
			`- NIST800-53R5_AU-3`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.13 \| PATCH \| Ensure file deletion events by users are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_13`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.13`
			`- NIST800-53R5_AU-12`
			`- NIST800-53R5_SC-7`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.14 \| PATCH \| Ensure events that modify the system's Mandatory Access Controls are collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_14`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.14`
			`- NIST800-53R5_AU-3`
			`- NIST800-53R5_CM-6`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.15 \| PATCH \| Ensure successful and unsuccessful attempts to use the chcon command are recorded"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_15`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2- workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.15`
			`- NIST800-53R5_AU-2`
			`- NIST800-53R5_AU-12`
			`- NIST800-53R5_SI-5`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.16 \| PATCH \| Ensure successful and unsuccessful attempts to use the setfacl command are recorded"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_16`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.16`
			`- NIST800-53R5_AU-2`
			`- NIST800-53R5_AU-12`
			`- NIST800-53R5_SI-5`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.17 \| PATCH \| Ensure successful and unsuccessful attempts to use the chacl command are recorded"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_17`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.17`
			`- NIST800-53R5_AU-2`
			`- NIST800-53R5_AU-12`
			`- NIST800-53R5_SI-5`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.18 \| PATCH \| Ensure successful and unsuccessful attempts to use the usermod command are recorded"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_18`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.18`
			`- NIST800-53R5_AU-2`
			`- NIST800-53R5_AU-12`
			`- NIST800-53R5_SI-5`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.19 \| PATCH \| Ensure kernel module loading and unloading and modification is collected"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_19`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.19`
			`- NIST800-53R5_AU-3`
			`- NIST800-53R5_CM-6`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`# All changes selected are managed by the POST audit and handlers to update`
			`- name: "6.3.3.20 \| PATCH \| Ensure the audit configuration is immutable"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_20`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- patch`
			`- auditd`
			`- rule_6.3.3.20`
			`- NIST800-53R5_AC-3`
			`- NIST800-53R5_AU-3`
			`- NIST800-53R5_MP-2`
			`ansible.builtin.set_fact:`
			`update_audit_template: true`

			`- name: "6.3.3.21 \| AUDIT \| Ensure the running and on disk configuration is the same"`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: rhel9cis_rule_6_3_3_21`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`tags:`
			`- level2-server`
			`- level2-workstation`
			`- manual`
			`- patch`
			`- auditd`
			`- rule_6.3.3.21`
			`- NIST800-53R5_AU-3`
			`ansible.builtin.debug:`
			`msg:`
			`- "Please run augenrules --load if you suspect there is a configuration that is not active"`

			`- name: Auditd \| 6.3.3.x \| Auditd controls updated`
updated yamllint, company naming, linting and spacing Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-12-04 11:45:13 +00:00			`when: update_audit_template`
initial v2 Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com> 2024-07-24 14:05:46 +01:00			`ansible.builtin.debug:`
			`msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"`
			`changed_when: false`