diff --git a/tasks/auditd.yml b/tasks/auditd.yml new file mode 100644 index 0000000..f3fc1fd --- /dev/null +++ b/tasks/auditd.yml @@ -0,0 +1,25 @@ +- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added + template: + src: audit/99_auditd.rules.j2 + dest: /etc/audit/rules.d/99_auditd.rules + owner: root + group: root + mode: 0600 + register: audit_rules_updated + notify: restart auditd + +- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable + block: + - name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied + shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules + changed_when: false + register: auditd_immutable_check + + - name: POST | AUDITD | Set reboot required if auditd immutable + debug: + msg: "Reboot required for auditd to apply new rules as immutable set" + notify: change_requires_reboot + when: + - auditd_immutable_check.stdout == '1' + when: + - audit_rules_updated.changed \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml index 1b240f7..9a6ee31 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -123,49 +123,49 @@ - name: run Section 1 tasks import_tasks: section_1/main.yml - become: true when: rhel9cis_section1 tags: - rhel9cis_section1 - name: run Section 2 tasks import_tasks: section_2/main.yml - become: true when: rhel9cis_section2 tags: - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml - become: true when: rhel9cis_section3 tags: - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml - become: true when: rhel9cis_section4 tags: - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml - become: true when: rhel9cis_section5 tags: - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml - become: true when: rhel9cis_section6 tags: - rhel9cis_section6 +- name: run auditd logic + import_tasks: auditd.yml + when: + - update_audit_template + tags: + - always + - name: run post remediation tasks import_tasks: post.yml - become: true tags: - post_tasks - always diff --git a/tasks/post.yml b/tasks/post.yml index c0f6be8..bca18ae 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -12,57 +12,24 @@ tags: - always -- name: trigger update sysctl - shell: /bin/true - args: - warn: false - changed_when: true - check_mode: false - notify: update sysctl +- name: update sysctl + template: + src: "etc/sysctl.d/{{ item }}.j2" + dest: "/etc/sysctl.d/{{ item }}" + owner: root + group: root + mode: 0600 + register: sysctl_updated + notify: reload sysctl + with_items: + - 60-kernel_sysctl.conf + - 60-disable_ipv6.conf + - 60-netipv4_sysctl.conf + - 60-netipv6_sysctl.conf when: - - rhel9cis_rule_3_1_1 or - rhel9cis_rule_3_1_2 or - rhel9cis_rule_3_1_3 or - rhel9cis_rule_3_2_1 or - rhel9cis_rule_3_2_2 or - rhel9cis_rule_3_3_1 or - rhel9cis_rule_3_3_2 or - rhel9cis_rule_3_3_3 or - rhel9cis_rule_3_3_4 or - rhel9cis_rule_3_3_5 or - rhel9cis_rule_3_3_6 or - rhel9cis_rule_3_3_7 or - rhel9cis_rule_3_3_8 or - rhel9cis_rule_3_3_9 - tags: - - sysctl - -- name: trigger update auditd - shell: /bin/true - args: - warn: false - notify: update auditd - changed_when: true - check_mode: false - when: - - rhel9cis_rule_4_1_1_1 or - rhel9cis_rule_4_1_1_2 or - rhel9cis_rule_4_1_1_3 or - rhel9cis_rule_4_1_2_1 or - rhel9cis_rule_4_1_2_2 or - rhel9cis_rule_4_1_2_3 or - rhel9cis_rule_4_1_3 or - rhel9cis_rule_4_1_4 or - rhel9cis_rule_4_1_5 or - rhel9cis_rule_4_1_6 or - rhel9cis_rule_4_1_7 or - rhel9cis_rule_4_1_8 or - rhel9cis_rule_4_1_9 or - rhel9cis_rule_4_1_10 or - rhel9cis_rule_4_1_11 or - rhel9cis_rule_4_1_12 - tags: - - auditd + - sysctl_update + - not system_is_container + - "'procps-ng' in ansible_facts.packages" - name: flush handlers meta: flush_handlers