---

- name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active"
  when: rhel9cis_rule_6_2_1_1
  tags:
    - level1-server
    - level1-workstation
    - audit
    - journald
    - rule_6.2.1.1
  ansible.builtin.systemd:
    name: systemd-journald.service
    masked: false
    state: started

- name: "6.2.1.2 | PATCH | Ensure journald log file access is configured"
  when: rhel9cis_rule_6_2_1_2
  tags:
    - level1-server
    - level1-workstation
    - audit
    - journald
    - rule_6.2.1.2
  block:
    - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions"
      ansible.builtin.file:
        path: /usr/lib/tmpfiles.d/systemd.conf
        mode: 'g-wx,o-rwx'

    - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
      ansible.builtin.stat:
        path: /etc/tmpfiles.d/systemd.conf
      register: discovered_tmpfile_override

    - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal"
      when: discovered_tmpfile_override.stat.exists
      ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf
      register: discovered_journald_fileperms_override
      changed_when: false
      failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ]

    - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
      when:
        - discovered_tmpfile_override.stat.exists
        - discovered_journald_fileperms_override.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy"

    - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
      when:
        - discovered_tmpfile_override.stat.exists
        - discovered_journald_fileperms_override.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml
      vars:
        warn_control_id: '6.2.1.2'

- name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured"
  when: rhel9cis_rule_6_2_1_3
  tags:
    - level1-server
    - level1-workstation
    - patch
    - journald
    - rule_6.2.1.3
  notify: Restart journald
  block:
    - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | Add file"
      ansible.builtin.template:
        src: etc/systemd/journald.conf.d/rotation.conf.j2
        dest: /etc/systemd/journald.conf.d/rotation.conf
        owner: root
        group: root
        mode: 'g-wx,o-rwx'

    - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
        regexp: "{{ item }}"
        replace: '#\1'
      loop:
        - '^(\s*SystemMaxUse\s*=.*)'
        - '^(\s*SystemKeepFree\s*=.*)'
        - '^(\s*RuntimeMaxUse\s*=)'
        - '^(\s*RuntimeKeepFree\s*=.*)'
        - '^(\s*MaxFileSec\s*=.*)'

- name: "6.2.1.4 | PATCH | Ensure only one logging system is in use"
  when: rhel9cis_rule_6_2_1_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - journald
    - syslog
    - rule_6.2.1.4
  block:
    - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when rsyslog"
      when: rhel9cis_syslog == "rsyslog"
      ansible.builtin.systemd:
        name: systemd-journald
        state: stopped
        enabled: false

    - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use | when journald"
      when: rhel9cis_syslog == "journald"
      ansible.builtin.systemd:
        name: rsyslog
        state: stopped
        enabled: false