From 63118b9b04c4ef263422c893f44594baafe0a454 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Wed, 4 Oct 2023 18:07:07 +0100 Subject: [PATCH] From rsyslog to jornald fix for 3.3.7 Removed unneded 4.2.1.x --- defaults/main.yml | 4 +++- tasks/post.yml | 18 ++++++++++++++++++ tasks/section_3/cis_3.3.x.yml | 5 +++++ tasks/section_4/cis_4.2.1.x.yml | 15 --------------- 4 files changed, 26 insertions(+), 16 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3fe96c1..49169f9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -523,7 +523,8 @@ rhel9cis_auditd_extra_conf: {} ## Preferred method of logging ## Whether rsyslog or journald preferred method for local logging ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5 -rhel9cis_syslog: rsyslog +#rhel9cis_syslog: rsyslog +rhel9cis_syslog: journald rhel9cis_rsyslog_ansiblemanaged: true #### 4.2.1.6 remote and destation log server name @@ -536,6 +537,7 @@ rhel9cis_remote_log_queuesize: 1000 #### 4.2.1.7 rhel9cis_system_is_log_server: false +#rhel9cis_system_is_log_server: true # 4.2.2.1.2 # rhel9cis_journal_upload_url is the ip address to upload the journal entries to diff --git a/tasks/post.yml b/tasks/post.yml index 3f1f706..2ac8f37 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -26,6 +26,24 @@ - not system_is_container - "'procps-ng' in ansible_facts.packages" +- name: POST | Update usr sysctl + block: + - name: POST | Set default.rp_filter + ansible.builtin.lineinfile: + path: /usr/lib/sysctl.d/50-default.conf + regexp: '^net.ipv4.conf.default.rp_filter' + line: net.ipv4.conf.default.rp_filter = 1 + + - name: POST | Set ALL rp_filter + ansible.builtin.lineinfile: + path: /usr/lib/sysctl.d/50-default.conf + regexp: '^net.ipv4.conf.*.rp_filter' + line: net.ipv4.conf.*.rp_filter = 1 + when: + - rhel9cis_sysctl_update + - not system_is_container + - "'procps-ng' in ansible_facts.packages" + - name: Flush handlers ansible.builtin.meta: flush_handlers diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index e8f3a5f..91c419c 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -145,6 +145,11 @@ - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" ansible.builtin.debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + + - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled in " + ansible.builtin.debug: + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + when: - rhel9cis_rule_3_3_7 tags: diff --git a/tasks/section_4/cis_4.2.1.x.yml b/tasks/section_4/cis_4.2.1.x.yml index 765ad98..bea7831 100644 --- a/tasks/section_4/cis_4.2.1.x.yml +++ b/tasks/section_4/cis_4.2.1.x.yml @@ -214,19 +214,4 @@ - patch - rsyslog - rule_4.2.1.7 -- name: "4.2.2.3/4 | PATCH | Ensure journald is configured to compress large log files into persistent storage." - ansible.builtin.template: - src: "etc/systemd/{{ item }}.j2" - dest: "/etc/systemd/{{ item }}" - owner: root - group: root - mode: '0644' - register: sysctl_updated - notify: Reload sysctl - loop: - - journald.conf - when: - - rhel9cis_sysctl_update - - not system_is_container - - "'procps-ng' in ansible_facts.packages"