sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

Merge pull request #307 from ansible-lockdown/devel

Browse source 
Updates to benchmark v2.0.0
This commit is contained in:
uk-bolly 2025-03-18 09:22:32 +00:00 committed by GitHub
commit 3d502efaef
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
18 changed files with 199 additions and 116 deletions
Download patch file Download diff file Expand all files Collapse all files

3
.gitignore vendored
View file

@ -46,3 +46,6 @@ benchparse/
# GitHub Action/Workflow files
.github/
# Precommit exclusions
.ansible/

4
.pre-commit-config.yaml
View file

@ -41,12 +41,12 @@ repos:
- id: detect-secrets
- repo: https://github.com/gitleaks/gitleaks
rev: v8.23.3
rev: v8.24.0
hooks:
- id: gitleaks
- repo: https://github.com/ansible-community/ansible-lint
rev: v25.1.2
rev: v25.1.3
hooks:
- id: ansible-lint
name: Ansible-lint

1
README.md
View file

@ -27,6 +27,7 @@
![Issues Open](https://img.shields.io/github/issues-raw/ansible-lockdown/RHEL9-CIS?label=Open%20Issues)
![Issues Closed](https://img.shields.io/github/issues-closed-raw/ansible-lockdown/RHEL9-CIS?label=Closed%20Issues&&color=success)
![Pull Requests](https://img.shields.io/github/issues-pr/ansible-lockdown/RHEL9-CIS?label=Pull%20Requests)
[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit)](https://github.com/pre-commit/pre-commit)
![License](https://img.shields.io/github/license/ansible-lockdown/RHEL9-CIS?label=License)

141
defaults/main.yml
View file

@ -923,7 +923,7 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf
# Options are: minclass or credits
# ensure only one is selected
rhel9cis_passwd_complex_option: minclass # pragma: allowlist secret
rhel9cis_passwd_minclass: 3
rhel9cis_passwd_minclass: 4
# rhel9cis_passwd_complex: credits
rhel9cis_passwd_dcredit: -1
rhel9cis_passwd_ucredit: -2
@ -1100,14 +1100,68 @@ rhel9cis_aide_cron:
#
## Preferred method of logging
## Whether rsyslog or journald preferred method for local logging
## Control 6.2.3 | Configure rsyslog
## Control 6.2.1 | Configure journald
# This variable governs which logging service should be used, choosing between 'rsyslog'(CIS recommendation)
# or 'journald'(only one is implemented) will trigger the execution of the associated subsection, as the-best
## Controls 6.2.1.x | Configure systemd-journald service
## Controls 6.2.2.x | Configured journald
## Controls 6.2.3.x | Configure rsyslog
# This variable governs which logging service should be used, choosing between 'rsyslog'
# or 'journald'(CIS recommendation) will trigger the execution of the associated subsection, as the-best
# practices are written wholly independent of each other.
rhel9cis_syslog: journald
## Control 6.2.2.x & 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable configures the max amount of disk space the logs will use(thus, journal files
# will not grow without bounds)
# The variables below related to journald, please set these to your site specific values
# These variable specifies how much disk space the journal may use up at most
# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
rhel9cis_journald_systemmaxuse: 10M
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable configures the amount of disk space to keep free for other uses.
rhel9cis_journald_systemkeepfree: 100G
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# This variable configures how much disk space the journal may use up at most.
# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
rhel9cis_journald_runtimemaxuse: 10M
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# This variable configures the actual amount of disk space to keep free
# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
rhel9cis_journald_runtimekeepfree: 100G
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable governs the settings for log retention(how long the log files will be kept).
# Thus, it specifies the maximum time to store entries in a single journal
# file before rotating to the next one. Set to 0 to turn off this feature.
# The given values is interpreted as seconds, unless suffixed with the units
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
# ATTENTION: Uncomment the keyword below when values are set!
rhel9cis_journald_maxfilesec: 1month
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
# number may be specified after a colon (":"), otherwise 19532 will be used by default.
rhel9cis_journal_upload_url: 192.168.50.42
## The paths below have the default paths/files, but allow user to create custom paths/filenames
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the private key file used by the remote journal
# server to authenticate itself to the client. This key is used alongside the server's
# public certificate to establish secure communication.
rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the public certificate file of the remote journal
# server. This certificate is used to verify the authenticity of the remote server.
rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to a file containing one or more public certificates
# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
# to validate the authenticity of the remote server's certificate.
rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
# ATTENTION: Uncomment the keyword below when values are set!
# Control 6.2.3.x - Ensure rsyslog is not configured to receive logs from a remote client
# This variable expresses whether the system is used as a log server or not. If set to:
# - 'false', current system will act as a log CLIENT, thus it should NOT receive data from other hosts.
# - 'true', current system will act as a log SERVER, enabling centralised log management(by protecting log integrity
@ -1155,57 +1209,25 @@ rhel9cis_remote_log_retrycount: 100
# of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
rhel9cis_remote_log_queuesize: 1000
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
# URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
# number may be specified after a colon (":"), otherwise 19532 will be used by default.
rhel9cis_journal_upload_url: 192.168.50.42
## The paths below have the default paths/files, but allow user to create custom paths/filenames
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the private key file used by the remote journal
# server to authenticate itself to the client. This key is used alongside the server's
# public certificate to establish secure communication.
rhel9cis_journal_upload_serverkeyfile: "/etc/ssl/private/journal-upload.pem"
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to the public certificate file of the remote journal
# server. This certificate is used to verify the authenticity of the remote server.
rhel9cis_journal_servercertificatefile: "/etc/ssl/certs/journal-upload.pem"
## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
# This variable specifies the path to a file containing one or more public certificates
# of certificate authorities (CAs) that the client trusts. These trusted certificates are used
# to validate the authenticity of the remote server's certificate.
rhel9cis_journal_trustedcertificatefile: "/etc/ssl/ca/trusted.pem"
# ATTENTION: Uncomment the keyword below when values are set!
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable configures the max amount of disk space the logs will use(thus, journal files
# will not grow without bounds)
# The variables below related to journald, please set these to your site specific values
# These variable specifies how much disk space the journal may use up at most
# Specify values in bytes or use K, M, G, T, P, E as units for the specified sizes.
# See https://www.freedesktop.org/software/systemd/man/journald.conf.html for more information.
rhel9cis_journald_systemmaxuse: 10M
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable configures the amount of disk space to keep free for other uses.
rhel9cis_journald_systemkeepfree: 100G
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# This variable configures how much disk space the journal may use up at most.
# Similar with 'rhel9cis_journald_systemmaxuse', but related to runtime space.
rhel9cis_journald_runtimemaxuse: 10M
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# This variable configures the actual amount of disk space to keep free
# Similar with 'rhel9cis_journald_systemkeepfree', but related to runtime space.
rhel9cis_journald_runtimekeepfree: 100G
## Control 6.2.1.3 - Ensure journald log rotation is configured per site policy
# Current variable governs the settings for log retention(how long the log files will be kept).
# Thus, it specifies the maximum time to store entries in a single journal
# file before rotating to the next one. Set to 0 to turn off this feature.
# The given values is interpreted as seconds, unless suffixed with the units
# `year`, `month`, `week`, `day`, `h` or `m` to override the default time unit of seconds.
# Values are Xm, Xh, Xday, Xweek, Xmonth, Xyear, for example 2week is two weeks
# ATTENTION: Uncomment the keyword below when values are set!
rhel9cis_journald_maxfilesec: 1month
## Control 6.2.3.8 rsyslog rotate
# This variable configures whether to set your own rsyslog logrotate setting alternate to logrotate default settings
# Please refer to logrotate options to match your site requirements
# This sets when to rotate
rhel9cis_rsyslog_logrotate_rotated_when: weekly
# This sets how many rotations of the file to keep
rhel9cis_rsyslog_logrotate_rotatation_keep: 4
# This defines whether to set various options or not
# these are taken from logrotate options
# Setting
# true will carry out the setting.
# false will either set no/not or not add the option
rhel9cis_rsyslog_logrotate_compress: true
rhel9cis_rsyslog_logrotate_missingok: true
rhel9cis_rsyslog_logrotate_notifempty: true
rhel9cis_rsyslog_logrotate_create: true
# Extra options that can be added according to rsyslog documentation
# Uncomment and add the required options e.g. mode owner group
# rhel9cis_rsyslog_logrotate_create_opts:
## Control 6.3.2.1 - Ensure audit_backlog_limit is sufficient
# This variable represents the audit backlog limit, i.e., the maximum number of audit records that the
@ -1303,3 +1325,8 @@ rhel9cis_suid_sgid_adjust: false
## Control 7.1.11 - Ensure no world writable files exist
# Allow ansible to adjust world-writable files. False will just display world-writable files, True will remove world-writable.
rhel9cis_no_world_write_adjust: true
## Control 7.2.9
# This allows ansible to alter the dot files as per rule if found
# When set to true this will align with benchmark - can impact a running system if not tested sufficiently
rhel9cis_dotperm_ansiblemanaged: false

9
handlers/main.yml
View file

@ -144,6 +144,15 @@
state: remounted
listen: "Remount /var/log/audit"
- name: "Remounting /boot/efi"
vars:
mount_point: '/boot/efi'
ansible.posix.mount:
path: "{{ mount_point }}"
state: remounted
notify: Change_requires_reboot
listen: "Remount /boot/efi"
- name: Reload sysctl
ansible.builtin.command: sysctl --system
changed_when: true

8
tasks/main.yml
View file

@ -116,17 +116,11 @@
fail_msg: "You still have the default name for your authselect profile"
- name: "Check authselect profile is selected | Check current profile"
ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
ansible.builtin.shell: authselect list
changed_when: false
failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
register: prelim_authselect_current_profile
- name: "Check authselect profile is selected | Ensure profile name is set"
ansible.builtin.assert:
that: prelim_authselect_current_profile is defined
success_msg: "Authselect is running and profile is selected"
fail_msg: Authselect updates have been selected there are issues with profile selection"
- name: "Ensure root password is set"
when: rhel9cis_rule_5_4_2_4
tags:

34
tasks/section_1/cis_1.4.x.yml
View file

@ -29,7 +29,8 @@
- rule_1.4.2
- NIST800-53R5_AC-3
block:
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | bios based system"
when: rhel9cis_legacy_boot
ansible.builtin.file:
path: "/boot/grub2/{{ item.path }}"
owner: root
@ -39,6 +40,31 @@
modification_time: preserve
access_time: preserve
loop:
- { path: 'grub.cfg', mode: '0700' }
- { path: 'grubenv', mode: 'go-rwx' }
- { path: 'user.cfg', mode: 'go-rwx' }
- { path: 'grub.cfg', mode: 'u-x,go-rwx' }
- { path: 'grubenv', mode: 'u-x,go-rwx' }
- { path: 'user.cfg', mode: 'u-x,go-rwx' }
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system"
when: not rhel9cis_legacy_boot
vars:
efi_mount_options: ['umask=0077', 'fmask=0077', 'uid=0', 'gid=0']
block:
- name: "1.4.2 | AUDIT | Ensure permissions on bootloader config are configured | efi based system | capture current state"
ansible.builtin.shell: grep "^[^#;]" /etc/fstab | grep '/boot/efi' | awk -F" " '{print $4}'
changed_when: false
register: discovered_efi_fstab
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Build Options"
when: item not in discovered_efi_fstab.stdout
ansible.builtin.set_fact:
efi_mount_opts_addition: "{{ efi_mount_opts_addition + ',' + item }}"
loop: "{{ efi_mount_options }}"
- name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured | efi based system | Add mount options"
when: efi_mount_opts_addition | length > 0
ansible.builtin.lineinfile:
path: /etc/fstab
regexp: (.*/boot/efi\s*\w*\s*){{ discovered_efi_fstab.stdout }}(.*)
line: \1{{ discovered_efi_fstab.stdout + efi_mount_opts_addition }}\2
backrefs: true
notify: Remount /boot/efi

4
tasks/section_5/cis_5.3.2.x.yml
View file

@ -14,9 +14,7 @@
- rule_5.3.2.1
block:
- name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Create custom profiles"
when:
- rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
prelim_authselect_current_profile.stdout is not defined
when: rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout
ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
changed_when: false
args:

2
tasks/section_5/cis_5.4.2.x.yml
View file

@ -190,7 +190,7 @@
regexp: \s*umask
line: "umask {{ rhel9cis_root_umask }}"
create: true
mode: 'u+x,go-rwx'
mode: 'u-x,go-rwx'
- name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
when:

4
tasks/section_6/cis_6.2.2.1.x.yml
View file

@ -17,7 +17,7 @@
name: systemd-journal-remote
state: present
- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-remote authentication is configured"
- name: "6.2.2.1.2 | PATCH | Ensure systemd-journal-upload authentication is configured"
when:
- rhel9cis_rule_6_2_2_1_2
- not rhel9cis_system_is_log_server
@ -40,7 +40,7 @@
- { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'}
- { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'}
- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled and active"
- name: "6.2.2.1.3 | PATCH | Ensure systemd-journal-upload is enabled and active"
when:
- not rhel9cis_system_is_log_server
- rhel9cis_rule_6_2_2_1_3

4
tasks/section_6/cis_6.2.3.x.yml
View file

@ -256,8 +256,8 @@
- name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
ansible.builtin.template:
src: etc/logrotate.d/rsyslog.conf.j2
dest: /etc/logrotate.d/rsyslog.conf
src: etc/logrotate.d/rsyslog_log.j2
dest: /etc/logrotate.d/rsyslog_log
owner: root
group: root
mode: 'g-wx,o-rwx'

42
tasks/section_6/cis_6.2.4.1.yml
View file

@ -8,6 +8,8 @@
- patch
- logfiles
- rule_6.2.4.1
- NIST800-53R5_AC-3
- NIST800-53R5_MP-2
block:
- name: "6.2.4.1 | AUDIT | Ensure access to all logfiles has been configured | find log files"
ansible.builtin.shell: find /var/log/ -type f -exec ls {} \;
@ -15,43 +17,35 @@
failed_when: false
register: discovered_logfiles
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions SSSD min 660"
when:
- discovered_logfiles.stdout_lines | length > 0
- ('audit.log' in item or 'journal' in item) or
item == '/var/log/secure' or
item == '/var/log/syslog' or
item == '/var/log/messages' or
item == '/var/log/auth.log'
- item is match("/var/log/(gdm|sssd)")
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx'
mode: 'ug-x,o-rwx'
failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions tmp min 664"
when:
- discovered_logfiles.stdout_lines | length > 0
- ('anaconda' in item or 'dnf' in item or 'secure' in item or 'messages' in item or 'hawkey' in item)
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-x,o-rwx'
failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions"
when:
- discovered_logfiles.stdout_lines | length > 0
- ('sssd' in item or 'lastlog' in item) or
item == "/var/log/btmp" or
item == "/var/log/utmp" or
item == "/var/log/wtmp" or
item == "/var/log/lastlog"
- item is match("/var/log/((u|b|w)tmp*|lastlog)")
ansible.builtin.file:
path: "{{ item }}"
mode: 'ug-x,o-wx'
failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}"
- name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured | change permissions else all 640"
when:
- discovered_logfiles.stdout_lines | length > 0
- item is not match("/var/log/((u|b|w)tmp*|lastlog|sssd)")
ansible.builtin.file:
path: "{{ item }}"
mode: 'u-x,g-wx,o-rwx'
failed_when: discovered_logfile_list.state not in '[ file, absent ]'
register: discovered_logfile_list
loop: "{{ discovered_logfiles.stdout_lines }}"

1
tasks/section_6/main.yml
View file

@ -5,6 +5,7 @@
file: cis_6.1.x.yml
- name: "SECTION | 6.2.1 | Configure systemd-journald service"
when: rhel9cis_syslog == 'journald'
ansible.builtin.import_tasks:
file: cis_6.2.1.x.yml

2
tasks/section_7/cis_7.1.x.yml
View file

@ -169,6 +169,8 @@
owner: root
group: root
mode: 'u-x,go-wx'
failed_when: discovered_file_exists.state not in '[ file, absent ]'
register: discovered_file_exists
- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
when:

16
templates/audit/99_auditd.rules.j2
View file

@ -23,6 +23,7 @@
-w {{ rhel9cis_sudolog_location }} -p wa -k sudo_log_file
{% endif %}
{% if rhel9cis_rule_6_3_3_4 %}
{% set syscalls = ["adjtimex","settimeofday"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
@ -31,6 +32,15 @@
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k time-change
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k time-change
{% set syscalls = ["clock_settime"] %}
{% set arch_syscalls = [] %}
{% for syscall in syscalls %}
{% if syscall in supported_syscalls %}
{{ arch_syscalls.append(syscall) }}
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -F a0=0x0 -k time-change
{% endif %}
{% endfor %}
-w /etc/localtime -p wa -k time-change
{% endif %}
{% if rhel9cis_rule_6_3_3_5 %}
@ -41,8 +51,8 @@
{{ arch_syscalls.append(syscall) }}
{% endif %}
{% endfor %}
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b64 -S {{ arch_syscalls|join(',') }} -k system-locale
-a always,exit -F arch=b32 -S {{ arch_syscalls|join(',') }} -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
@ -169,7 +179,7 @@
-a always,exit -F path=/usr/bin/setfacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
{% endif %}
{% if rhel9cis_rule_6_3_3_17 %}
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k priv_chng
-a always,exit -F path=/usr/bin/chacl -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k perm_chng
{% endif %}
{% if rhel9cis_rule_6_3_3_18 %}
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>={{ prelim_min_int_uid }} -F auid!=unset -k usermod

11
templates/etc/logrotate.d/rsyslog.conf.j2
View file

@ -1,11 +0,0 @@
/var/log/rsyslog/*.log {
{{ rhel9cis_rsyslog_logrotate_rotated }}
rotate {{ rhel9cis_rsyslog_logrotate_keep }}
{% if rhel9cis_rsyslog_logrotate_compress %}compress{% else %}nocompress{% endif %}
{% if rhel9cis_rsyslog_logrotate_missingok %}missingok{% else %}missingok{% endif %}
{% if rhel9cis_rsyslog_logrotate_notifempty %}notifempty{% else %}ifempty{% endif %}
{% if rhel9cis_rsyslog_logrotate_create %}create {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
postrotate
/usr/bin/systemctl reload rsyslog.service >/dev/null || true
endscript
}

26
templates/etc/logrotate.d/rsyslog_log.j2 Normal file
View file

@ -0,0 +1,26 @@
/var/log/rsyslog/*.log {
{{ rhel9cis_rsyslog_logrotate_rotated_when }}
rotate {{ rhel9cis_rsyslog_logrotate_rotatation_keep }}
{% if rhel9cis_rsyslog_logrotate_compress %}
compress
{% else %}
nocompress
{% endif %}
{% if rhel9cis_rsyslog_logrotate_missingok %}
missingok
{% else %}
nomissingok
{% endif %}
{% if rhel9cis_rsyslog_logrotate_notifempty %}
notifempty
{% else %}
ifempty
{% endif %}
{% if rhel9cis_rsyslog_logrotate_create %}
create{% if rhel9cis_rsyslog_logrotate_create_opts is defined %} {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
{% endif %}
postrotate
/usr/bin/systemctl reload rsyslog.service >/dev/null || true
endscript
}

3
vars/main.yml
View file

@ -22,6 +22,9 @@ rhel9cis_allowed_crypto_policies_modules:
warn_control_list: ""
warn_count: 0
# Default empty values for 1.4.2
efi_mount_opts_addition: ''
gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
## Controls 6.3.3.x - Audit template