diff --git a/tasks/section_4/cis_4.3.yml b/tasks/section_4/cis_4.3.yml index 0038b34..be17c70 100644 --- a/tasks/section_4/cis_4.3.yml +++ b/tasks/section_4/cis_4.3.yml @@ -13,21 +13,37 @@ state: started enabled: true - - name: "4.3 | AUDIT | Ensure logrotate is configured | Get logrotate settings" - ansible.builtin.find: - paths: /etc/logrotate.d/ - register: log_rotates - - - name: "4.3 | PATCH | Ensure logrotate is configured" + - name: "4.3 | PATCH | Ensure logrotate is configured | set default conf" ansible.builtin.replace: - path: "{{ item.path }}" + path: "/etc/logrotate.conf" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel9cis_logrotate }}" - loop: - - "{{ log_rotates.files }}" - - { path: "/etc/logrotate.conf" } - loop_control: - label: "{{ item.path }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | Get non default logrotate settings" + ansible.builtin.find: + paths: /etc/logrotate.d/ + contains: '^(\s*)(?!{{ rhel9cis_logrotate }})(daily|weekly|monthly|yearly)$' + register: log_rotates + + - name: "4.3 | AUDIT | Ensure logrotate is configured" + block: + - name: "4.3 | AUDIT | Ensure logrotate is configured | generate file list" + ansible.builtin.set_fact: + logrotate_non_def_conf: "{{ log_rotates.files | map(attribute='path') | join (', ') }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | List configured files" + ansible.builtin.debug: + msg: | + "Warning!! The following files are not covered by default logrotate settings ensure they match site policy" + "{{ logrotate_non_def_conf }}" + loop: "{{ log_rotates.files }}" + + - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" + ansible.builtin.import_tasks: warning_facts.yml + vars: + warn_control_id: '4.3' + when: log_rotates.matched > 0 + when: - rhel9cis_rule_4_3 tags: