Initial

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_4/cis_4.1.1.x.yml

@@ -0,0 +1,103 @@
+---
+
+- name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed"
+  block:
+      - name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed | Install auditd packages"
+        package:
+            name: audit
+            state: present
+        when: '"auditd" not in ansible_facts.packages'
+
+      - name: "4.1.1.1 | L2 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
+        package:
+            name: audit-libs
+            state: present
+        when: '"auditd-lib" not in ansible_facts.packages'
+  when:
+      - rhel9cis_rule_4_1_1_1
+  tags:
+      - level2-server
+      - level2-workstation
+      - patch
+      - rule_4.1.1.1
+
+- name: "4.1.1.2 | L2 | PATCH | Ensure auditd service is enabled"
+  service:
+      name: auditd
+      state: started
+      enabled: yes
+  when:
+      - not rhel9cis_skip_for_travis
+      - rhel9cis_rule_4_1_1_2
+      - ansible_connection != 'docker'
+  tags:
+      - level2-server
+      - level2-workstation
+      - auditd
+      - patch
+      - rule_4.1.1.2
+
+- name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
+  block:
+      - name: "4.1.1.3 | L2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
+        shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel9cis_4_1_1_3_grub_cmdline_linux
+
+      - name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
+        replace:
+            dest: /etc/default/grub
+            regexp: 'audit=.'
+            replace: 'audit=1'
+        notify: grub2cfg
+        when: "'audit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
+
+      - name: "4.1.1.3 | L2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
+        lineinfile:
+            path: /etc/default/grub
+            regexp: '^GRUB_CMDLINE_LINUX='
+            line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit=1"'
+        notify: grub2cfg
+        when: "'audit=' not in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
+  when:
+      - rhel9cis_rule_4_1_1_3
+  tags:
+      - level2-server
+      - level2-workstation
+      - auditd
+      - patch
+      - rule_4.1.1.3
+
+- name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient"
+  block:
+      - name: "4.1.1.4 | L2 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
+        shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
+        changed_when: false
+        failed_when: false
+        check_mode: no
+        register: rhel9cis_4_1_1_4_grub_cmdline_linux
+
+      - name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
+        replace:
+            dest: /etc/default/grub
+            regexp: 'audit_backlog_limit=\d+'
+            replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}'
+        notify: grub2cfg
+        when: "'audit_backlog_limit=' in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout"
+
+      - name: "4.1.1.4 | L2 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
+        lineinfile:
+            path: /etc/default/grub
+            regexp: '^GRUB_CMDLINE_LINUX='
+            line: '{{ rhel9cis_4_1_1_4_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
+        notify: grub2cfg
+        when: "'audit_backlog_limit=' not in rhel9cis_4_1_1_4_grub_cmdline_linux.stdout"
+  when:
+      - rhel9cis_rule_4_1_1_4
+  tags:
+      - level2-server
+      - level2-workstation
+      - patch
+      - rule_4.1.1.4