ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-25 14:43:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

updated for issue #226

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2024-08-09 16:20:14 +01:00
parent cf4376f1f7
commit 22cd20c067
No known key found for this signature in database
GPG key ID: 997FF7FE93AEB5B9
1 changed files with 4 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

9
tasks/section_4/cis_4.1.4.x.yml
View file

@ -23,7 +23,7 @@
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout }}"
mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}"
mode: 'u-x,g-rw,o-rwx'
owner: root
group: root
when:
@ -50,7 +50,7 @@
ansible.builtin.file:
path: "{{ audit_discovered_logfile.stdout | dirname }}"
state: directory
mode: '0750'
mode: 'g-w,o-rwx'
when: not auditlog_dir.stat.mode is match('07(0|5)0')
when:
- rhel9cis_rule_4_1_4_4
@ -64,7 +64,7 @@
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
ansible.builtin.file:
path: "{{ item.path }}"
mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
mode: 'u-x,g-wx,u-rwx'
loop: "{{ auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
@ -126,8 +126,7 @@
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
ansible.builtin.file:
path: "{{ item.item }}"
mode: '0750'
mode: 'go-w'
loop: "{{ audit_bins.results }}"
loop_control:
label: "{{ item.item }}"