From 084e6c67601a96aede12d15032e07d4880762854 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 29 Jul 2022 17:08:38 +0100
Subject: [PATCH] moved some controls to handlers

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 handlers/main.yml | 40 +++++++++++++++++++++++++++-------------
 tasks/auditd.yml  | 21 ++++-----------------
 2 files changed, 31 insertions(+), 30 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 8c3c79c..9264a42 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -74,18 +74,6 @@
   args:
       warn: false
 
-- name: restart auditd
-  shell: service auditd restart
-  args:
-      warn: false
-  when:
-      - audit_rules_updated.changed or
-        rule_4_1_2_1.changed or
-        rule_4_1_2_2.changed or
-        rule_4_1_2_3.changed
-  tags:
-      - skip_ansible_lint
-
 - name: grub2cfg
   shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
   args:
@@ -114,6 +102,32 @@
   systemd:
       daemon-reload: true
 
+## Auditd tasks note order for handlers to run
+
+- name: auditd_immutable_check
+  shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
+  changed_when: false
+  register: auditd_immutable_check
+
+- name: audit_immutable_fact
+  debug:
+      msg: "Reboot required for auditd to apply new rules as immutable set"
+  notify: change_requires_reboot
+  when:
+      - auditd_immutable_check.stdout == '1'
+
+- name: restart auditd
+  shell: service auditd restart
+  args:
+      warn: false
+  when:
+      - audit_rules_updated.changed or
+        rule_4_1_2_1.changed or
+        rule_4_1_2_2.changed or
+        rule_4_1_2_3.changed
+  tags:
+      - skip_ansible_lint
+
 - name: change_requires_reboot
   set_fact:
-      change_requires_reboot: true
+      change_requires_reboot: true
\ No newline at end of file
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index 837c7e1..9c5a14e 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -6,7 +6,10 @@
       group: root
       mode: 0600
   register: audit_rules_updated
-  notify: restart auditd
+  notify: 
+      - auditd_immutable_check
+      - audit_immutable_fact
+      - restart auditd
 
 - name: POST | Set up auditd user logging exceptions
   template:
@@ -19,19 +22,3 @@
   when:
       - allow_auditd_uid_user_exclusions
       - rhel9cis_auditd_uid_exclude | length > 0
-
-- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable
-  block:
-      - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied
-        shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
-        changed_when: false
-        register: auditd_immutable_check
-
-      - name: POST | AUDITD | Set reboot required if auditd immutable
-        debug:
-            msg: "Reboot required for auditd to apply new rules as immutable set"
-        notify: change_requires_reboot
-        when:
-            - auditd_immutable_check.stdout == '1'
-  when:
-      - audit_rules_updated.changed
\ No newline at end of file