ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
RHEL9-CIS/tasks/section_6/cis_6.3.4.x.yml
Mark Bolwell 2de8a39cdc
updated yamllint, company naming, linting and spacing 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-12-04 12:00:12 +00:00

149 lines
3.7 KiB
YAML
Raw Blame History

---
- name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured"
when: rhel9cis_rule_6_3_4_1
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.1
- NIST800-53R5_AU-3
ansible.builtin.file:
path: "{{ prelim_auditd_logfile.stdout | dirname }}"
state: directory
mode: 'g-w,o-rwx'
- name: |
"6.3.4.2 | PATCH | Ensure audit log files mode is configured"
"6.3.4.3 | PATCH | Ensure audit log files owner is configured"
"6.3.4.4 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
when:
- rhel9cis_rule_6_3_4_2 or
rhel9cis_rule_6_3_4_3 or
rhel9cis_rule_6_3_4_4
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.1
- rule_6.3.4.2
- rule_6.3.4.3
- NIST800-53R5_AU-3
ansible.builtin.file:
path: "{{ prelim_auditd_logfile.stdout }}"
mode: 'o-x,g-wx,o-rwx'
owner: root
group: root
- name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured"
when: rhel9cis_rule_6_3_4_5
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.5
ansible.builtin.file:
path: "{{ item.path }}"
mode: 'u-x,g-wx,o-rwx'
failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]'
register: discovered_audit_conf_file_list
loop: "{{ prelim_auditd_conf_files.files }}"
loop_control:
label: "{{ item.path }}"
- name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured"
when: rhel9cis_rule_6_3_4_6
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.6
ansible.builtin.file:
path: "{{ item.path }}"
owner: root
failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]'
register: discovered_audit_conf_file_list
loop: "{{ prelim_auditd_conf_files.files | default([]) }}"
loop_control:
label: "{{ item.path }}"
- name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured"
when: rhel9cis_rule_6_3_4_7
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.7
ansible.builtin.file:
path: "{{ item.path }}"
group: root
failed_when: discovered_audit_conf_file_list.state not in '[ file, absent ]'
register: discovered_audit_conf_file_list
loop: "{{ prelim_auditd_conf_files.files | default([]) }}"
loop_control:
label: "{{ item.path }}"
- name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured"
when: rhel9cis_rule_6_3_4_8
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.8
- NIST800-53R5_AU-3
ansible.builtin.file:
path: "{{ item }}"
mode: 'go-w'
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
- name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured"
when: rhel9cis_rule_6_3_4_9
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.9
ansible.builtin.file:
path: "{{ item }}"
owner: root
group: root
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
- name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured"
when: rhel9cis_rule_6_3_4_10
tags:
- level2-server
- level2-workstation
- patch
- auditd
- rule_6.3.4.10
- NIST800-53R5_AU-3
ansible.builtin.file:
path: "{{ item }}"
group: root
loop:
- /sbin/auditctl
- /sbin/aureport
- /sbin/ausearch
- /sbin/autrace
- /sbin/auditd
- /sbin/augenrules
Reference in a new issue View git blame Copy permalink