RHEL9-CIS/tasks/section_4/cis_4.1.4.x.yml

---

- name: |
      "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
      "4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
      "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"

  block:
      - name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file"
        ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
        register: audit_logfile
        changed_when: false

      - name: |
            "4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
            "4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
            "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
        ansible.builtin.file:
            path: "{{ audit_logfile.stdout }}"
            state: file
            mode: 0640
            owner: root
            group: root
  when:
      - rhel9cis_rule_4_1_4_1 or
        rhel9cis_rule_4_1_4_2 or
        rhel9cis_rule_4_1_4_3
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.4.1
      - rule_4.1.4.2
      - rule_4.1.4.3

- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive"
  block:
      - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions"
        ansible.builtin.stat:
            path: "{{ audit_logfile.stdout | dirname }}"
        register: auditlog_dir

      - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set"
        ansible.builtin.file:
            path: "{{ audit_logfile.stdout | dirname }}"
            state: directory
            mode: 0750
        when: not auditlog_dir.stat.mode is match('07(0|5)0')
  when:
      - rhel9cis_rule_4_1_4_4
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.4.4

- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
  ansible.builtin.file:
      path: "{{ item.path }}"
      state: file
      mode: 0640
  loop: "{{ auditd_conf_files.files }}"
  loop_control:
      label: "{{ item.path }}"
  when:
      - item.mode != '06(0|4)0'
      - rhel9cis_rule_4_1_4_5
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.4.5

- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root"
  ansible.builtin.file:
      path: "{{ item.path }}"
      state: file
      owner: root
  loop: "{{ auditd_conf_files.files }}"
  loop_control:
      label: "{{ item.path }}"
  when:
      - rhel9cis_rule_4_1_4_6
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.4.6

- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root"
  ansible.builtin.file:
      path: "{{ item.path }}"
      state: file
      group: root
  loop: "{{ auditd_conf_files.files }}"
  loop_control:
      label: "{{ item.path }}"
  when:
      - rhel9cis_rule_4_1_4_7
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.4.7

- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive"
  block:
      - name: "PRELIM | 4.1.4.8 | Get audit binary file stat | get current mode"
        ansible.builtin.stat:
            path: "{{ item }}"
        register: "audit_bins"
        loop:
            - /sbin/auditctl
            - /sbin/aureport
            - /sbin/ausearch
            - /sbin/autrace
            - /sbin/auditd
            - /sbin/augenrules

      - name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
        ansible.builtin.file:
            path: "{{ item.item }}"
            state: file
            mode: 0750
        register: "audit_bins"
        loop: "{{ audit_bins.results }}"
        loop_control:
            label: "{{ item.item }}"
        when: not item.stat.mode is match('07(0|5)0')
  when:
      - rhel9cis_rule_4_1_4_8
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.4.8

- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root"
  ansible.builtin.file:
      path: "{{ item }}"
      state: file
      owner: root
      group: root
  loop:
      - /sbin/auditctl
      - /sbin/aureport
      - /sbin/ausearch
      - /sbin/autrace
      - /sbin/auditd
      - /sbin/augenrules
  when:
      - rhel9cis_rule_4_1_4_9
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.4.9

- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root"
  ansible.builtin.file:
      path: "{{ item }}"
      state: file
      group: root
  loop:
      - /sbin/auditctl
      - /sbin/aureport
      - /sbin/ausearch
      - /sbin/autrace
      - /sbin/auditd
      - /sbin/augenrules
  when:
      - rhel9cis_rule_4_1_4_10
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.4.10