From 6eeae19517bc8834d86bef908783ec30922bbd4f Mon Sep 17 00:00:00 2001 From: RoboPickle <158301938+RoboPickle@users.noreply.github.com> Date: Thu, 14 Mar 2024 17:13:34 +0000 Subject: [PATCH] Address issues in 4.1.1.2 and 4.1.1.3 including idempotent status (#188) * Fixed issues with 4.1.1.2 and 4.1.1.3 Now handle multiple kernels and are idempotent Signed-off-by: John Foster * Fixed issues with 4.1.1.2 and 4.1.1.3 Now handle multiple kernels and are idempotent Removed debug messages Signed-off-by: John Foster --------- Signed-off-by: John Foster --- tasks/section_4/cis_4.1.1.x.yml | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/tasks/section_4/cis_4.1.1.x.yml b/tasks/section_4/cis_4.1.1.x.yml index cbf9209..3d0082a 100644 --- a/tasks/section_4/cis_4.1.1.x.yml +++ b/tasks/section_4/cis_4.1.1.x.yml @@ -25,7 +25,7 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled" block: - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value" - ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit=([[:digit:]])+" | grep -o -E "([[:digit:]])+" + ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p' changed_when: false failed_when: false check_mode: false @@ -34,7 +34,9 @@ - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed" ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1" when: - - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1 + - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout == '' or + '0' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout or + 'off' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout|lower when: - rhel9cis_rule_4_1_1_2 tags: @@ -48,16 +50,32 @@ - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient" block: - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value" - ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+" + ansible.builtin.shell: + cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"' changed_when: false failed_when: false check_mode: false register: rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux - - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update, if needed" - ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}" + - name: "4.1.1.3 | AUDIT | Check to see if limits are set" + ansible.builtin.set_fact: + rhel9cis_4_1_1_3_reset_backlog_limits: true when: - - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit + - rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux is not defined or + rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines == [] + + - name: "4.1.1.3 | AUDIT | Check to see if any limits are too low" + ansible.builtin.set_fact: + rhel9cis_4_1_1_3_reset_backlog_limits: true + when: + - (item | int < rhel9cis_audit_back_log_limit) + loop: "{{ rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines }}" + + - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied" + ansible.builtin.shell: + cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"' + when: + - rhel9cis_4_1_1_3_reset_backlog_limits is defined when: - rhel9cis_rule_4_1_1_3 tags: