ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
RHEL9-CIS/tasks/section_6/cis_6.3.1.x.yml
Mark Bolwell 2de8a39cdc
updated yamllint, company naming, linting and spacing 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-12-04 12:00:12 +00:00

107 lines
3.6 KiB
YAML
Raw Blame History

---
- name: "6.3.1.1 | PATCH | Ensure auditd is installed"
when:
- rhel9cis_rule_6_3_1_1
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.1.1
- NIST800-53R5_AU-2
- NIST800-53R5_AU-3
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
block:
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
when: '"auditd" not in ansible_facts.packages'
ansible.builtin.package:
name: audit
state: present
- name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
when: '"auditd-lib" not in ansible_facts.packages'
ansible.builtin.package:
name: audit-libs
state: present
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
when: rhel9cis_rule_6_3_1_2
tags:
- level2-server
- level2-workstation
- patch
- auditd
- grub
- rule_6.3.1.2
block:
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value"
ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p'
changed_when: false
failed_when: false
check_mode: false
register: discovered_grubby_curr_value_audit_linux
- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed"
when:
- discovered_grubby_curr_value_audit_linux.stdout == '' or
'0' in discovered_grubby_curr_value_audit_linux.stdout or
'off' in discovered_grubby_curr_value_audit_linux.stdout|lower
ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1"
changed_when: true
- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
when: rhel9cis_rule_6_3_1_3
tags:
- level2-server
- level2-workstation
- patch
- auditd
- grub
- rule_6.3.1.3
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
block:
- name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value"
ansible.builtin.shell:
cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"'
changed_when: false
failed_when: false
check_mode: false
register: discovered_grubby_curr_value_backlog_linux
- name: "6.3.1.3 | AUDIT | Check to see if limits are set"
when:
- discovered_grubby_curr_value_backlog_linux is not defined or
discovered_grubby_curr_value_backlog_linux.stdout_lines == []
ansible.builtin.set_fact:
discovered_reset_backlog_limits: true
- name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
when: (item | int < rhel9cis_audit_back_log_limit)
ansible.builtin.set_fact:
discovered_reset_backlog_limits: true
loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}"
- name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
when: discovered_reset_backlog_limits is defined
ansible.builtin.command: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
changed_when: true
- name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
when: rhel9cis_rule_6_3_1_4
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.1.4
- NIST800-53R5_AU-2
- NIST800-53R5_AU-12
- NIST800-53R5_SI-5
ansible.builtin.systemd:
name: auditd
state: started
enabled: true
Reference in a new issue View git blame Copy permalink