improvements

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2025-12-24 22:23:06 +00:00 · 2024-08-07 10:31:31 +01:00 · 2024-08-07 10:31:31 +01:00 · 2a7d08da08
commit 2a7d08da08
parent 47dc0c5b4c
5 changed files with 211 additions and 284 deletions
--- a/tasks/section_6/cis_6.3.4.x.yml
+++ b/tasks/section_6/cis_6.3.4.x.yml
@ -10,17 +10,10 @@
    - auditd
    - rule_6.3.4.1
    - NIST800-53R5_AU-3
-  block:
-    - name: "6.3.4.1 | AUDIT | Ensure the audit log file directory mode is configured | get current permissions"
-      ansible.builtin.stat:
-        path: "{{ audit_discovered_logfile.stdout | dirname }}"
-      register: auditlog_dir
-
-    - name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured | set"
-      ansible.builtin.file:
-        path: "{{ audit_discovered_logfile.stdout | dirname }}"
-        state: directory
-        mode: 'g-w,o-rwx'
+  ansible.builtin.file:
+    path: "{{ prelim_auditd_logfile.stdout | dirname }}"
+    state: directory
+    mode: 'g-w,o-rwx'

 - name: |
    "6.3.4.2 | PATCH | Ensure audit log files mode is configured"
@ -39,21 +32,11 @@
    - rule_6.3.4.2
    - rule_6.3.4.3
    - NIST800-53R5_AU-3
-  block:
-    - name: "6.3.4.2 | AUDIT | Ensure audit log files mode is configured | discover file"
-      ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
-      changed_when: false
-      register: audit_discovered_logfile
-
-    - name: |
-        "6.3.4.2 | PATCH | Ensure audit log files mode is configured"
-        "6.3.4.3 | PATCH | Ensure audit log files owner is configured"
-        "6.3.4.4 | PATCH | Ensure audit log files group owner is configured"
-      ansible.builtin.file:
-        path: "{{ audit_discovered_logfile.stdout }}"
-        mode: 'o-x,g-wx,o-rwx'
-        owner: root
-        group: root
+  ansible.builtin.file:
+    path: "{{ prelim_auditd_logfile.stdout }}"
+    mode: 'o-x,g-wx,o-rwx'
+    owner: root
+    group: root

 - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured"
  when:
@ -67,7 +50,7 @@
  ansible.builtin.file:
    path: "{{ item.path }}"
    mode: 'u-x,g-wx,o-rwx'
-  loop: "{{ auditd_conf_files.files }}"
+  loop: "{{ prelim_auditd_conf_files.files }}"
  loop_control:
    label: "{{ item.path }}"

@ -83,7 +66,7 @@
  ansible.builtin.file:
    path: "{{ item.path }}"
    owner: root
-  loop: "{{ auditd_conf_files.files | default([]) }}"
+  loop: "{{ prelim_auditd_conf_files.files | default([]) }}"
  loop_control:
    label: "{{ item.path }}"

@ -99,7 +82,7 @@
  ansible.builtin.file:
    path: "{{ item.path }}"
    group: root
-  loop: "{{ auditd_conf_files.files | default([]) }}"
+  loop: "{{ prelim_auditd_conf_files.files | default([]) }}"
  loop_control:
    label: "{{ item.path }}"

@ -114,7 +97,7 @@
    - rule_6.3.4.8
    - NIST800-53R5_AU-3
  ansible.builtin.file:
-    path: "{{ item.item }}"
+    path: "{{ item }}"
    mode: 'go-w'
  loop:
    - /sbin/auditctl