From b5a5d3e9519cbadc97c5e3e212015227fdd9d0c9 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Thu, 26 Jan 2023 15:00:10 +0000
Subject: [PATCH] Additional; step to show diff of template

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/auditd.yml | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index 6704125..f8d2fe6 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -1,25 +1,36 @@
 ---
+- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
+  ansible.builtin.stat:
+    path: /etc/audit/rules.d/99_auditd.rules
+  register: auditd_file
 
-- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
+- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | setup file
   ansible.builtin.template:
       src: audit/99_auditd.rules.j2
       dest: /etc/audit/rules.d/99_auditd.rules
       owner: root
       group: root
       mode: 0640
+  diff: "{{ auditd_file.stat.exists }}"  # Only run diff if not a new file
   register: audit_rules_updated
   notify:
       - Auditd immutable check
       - Audit immutable fact
       - Restart auditd
 
-- name: POST | Set up auditd user logging exceptions
+- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added | stat file
+  ansible.builtin.stat:
+    path: /etc/audit/rules.d/98_auditd_exceptions.rules
+  register: auditd_exception_file
+
+- name: POST | Set up auditd user logging exceptions | setup file
   ansible.builtin.template:
       src: audit/98_auditd_exception.rules.j2
       dest: /etc/audit/rules.d/98_auditd_exceptions.rules
       owner: root
       group: root
-      mode: 0600
+      mode: 0640
+  diff: "{{ auditd_exception_file.stat.exists }}"
   notify: Restart auditd
   when:
       - allow_auditd_uid_user_exclusions