forked from ansible-lockdown/RHEL9-CIS
auditd, sysctl, become tidy up
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell
parent
b934cbef3f
commit
4336bbf6b6
3 changed files with 49 additions and 57 deletions
25
tasks/auditd.yml
Normal file
25
tasks/auditd.yml
Normal file
|
|
@ -0,0 +1,25 @@
|
||||||
|
- name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
|
||||||
|
template:
|
||||||
|
src: audit/99_auditd.rules.j2
|
||||||
|
dest: /etc/audit/rules.d/99_auditd.rules
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
mode: 0600
|
||||||
|
register: audit_rules_updated
|
||||||
|
notify: restart auditd
|
||||||
|
|
||||||
|
- name: POST | AUDITD | Discover if auditd immutable - Set reboot required if auditd immutable
|
||||||
|
block:
|
||||||
|
- name: POST | AUDITD | Discover if auditd immutable - will require reboot if auditd template applied
|
||||||
|
shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
|
||||||
|
changed_when: false
|
||||||
|
register: auditd_immutable_check
|
||||||
|
|
||||||
|
- name: POST | AUDITD | Set reboot required if auditd immutable
|
||||||
|
debug:
|
||||||
|
msg: "Reboot required for auditd to apply new rules as immutable set"
|
||||||
|
notify: change_requires_reboot
|
||||||
|
when:
|
||||||
|
- auditd_immutable_check.stdout == '1'
|
||||||
|
when:
|
||||||
|
- audit_rules_updated.changed
|
||||||
|
|
@ -123,49 +123,49 @@
|
||||||
|
|
||||||
- name: run Section 1 tasks
|
- name: run Section 1 tasks
|
||||||
import_tasks: section_1/main.yml
|
import_tasks: section_1/main.yml
|
||||||
become: true
|
|
||||||
when: rhel9cis_section1
|
when: rhel9cis_section1
|
||||||
tags:
|
tags:
|
||||||
- rhel9cis_section1
|
- rhel9cis_section1
|
||||||
|
|
||||||
- name: run Section 2 tasks
|
- name: run Section 2 tasks
|
||||||
import_tasks: section_2/main.yml
|
import_tasks: section_2/main.yml
|
||||||
become: true
|
|
||||||
when: rhel9cis_section2
|
when: rhel9cis_section2
|
||||||
tags:
|
tags:
|
||||||
- rhel9cis_section2
|
- rhel9cis_section2
|
||||||
|
|
||||||
- name: run Section 3 tasks
|
- name: run Section 3 tasks
|
||||||
import_tasks: section_3/main.yml
|
import_tasks: section_3/main.yml
|
||||||
become: true
|
|
||||||
when: rhel9cis_section3
|
when: rhel9cis_section3
|
||||||
tags:
|
tags:
|
||||||
- rhel9cis_section3
|
- rhel9cis_section3
|
||||||
|
|
||||||
- name: run Section 4 tasks
|
- name: run Section 4 tasks
|
||||||
import_tasks: section_4/main.yml
|
import_tasks: section_4/main.yml
|
||||||
become: true
|
|
||||||
when: rhel9cis_section4
|
when: rhel9cis_section4
|
||||||
tags:
|
tags:
|
||||||
- rhel9cis_section4
|
- rhel9cis_section4
|
||||||
|
|
||||||
- name: run Section 5 tasks
|
- name: run Section 5 tasks
|
||||||
import_tasks: section_5/main.yml
|
import_tasks: section_5/main.yml
|
||||||
become: true
|
|
||||||
when: rhel9cis_section5
|
when: rhel9cis_section5
|
||||||
tags:
|
tags:
|
||||||
- rhel9cis_section5
|
- rhel9cis_section5
|
||||||
|
|
||||||
- name: run Section 6 tasks
|
- name: run Section 6 tasks
|
||||||
import_tasks: section_6/main.yml
|
import_tasks: section_6/main.yml
|
||||||
become: true
|
|
||||||
when: rhel9cis_section6
|
when: rhel9cis_section6
|
||||||
tags:
|
tags:
|
||||||
- rhel9cis_section6
|
- rhel9cis_section6
|
||||||
|
|
||||||
|
- name: run auditd logic
|
||||||
|
import_tasks: auditd.yml
|
||||||
|
when:
|
||||||
|
- update_audit_template
|
||||||
|
tags:
|
||||||
|
- always
|
||||||
|
|
||||||
- name: run post remediation tasks
|
- name: run post remediation tasks
|
||||||
import_tasks: post.yml
|
import_tasks: post.yml
|
||||||
become: true
|
|
||||||
tags:
|
tags:
|
||||||
- post_tasks
|
- post_tasks
|
||||||
- always
|
- always
|
||||||
|
|
|
||||||
|
|
@ -12,57 +12,24 @@
|
||||||
tags:
|
tags:
|
||||||
- always
|
- always
|
||||||
|
|
||||||
- name: trigger update sysctl
|
- name: update sysctl
|
||||||
shell: /bin/true
|
template:
|
||||||
args:
|
src: "etc/sysctl.d/{{ item }}.j2"
|
||||||
warn: false
|
dest: "/etc/sysctl.d/{{ item }}"
|
||||||
changed_when: true
|
owner: root
|
||||||
check_mode: false
|
group: root
|
||||||
notify: update sysctl
|
mode: 0600
|
||||||
|
register: sysctl_updated
|
||||||
|
notify: reload sysctl
|
||||||
|
with_items:
|
||||||
|
- 60-kernel_sysctl.conf
|
||||||
|
- 60-disable_ipv6.conf
|
||||||
|
- 60-netipv4_sysctl.conf
|
||||||
|
- 60-netipv6_sysctl.conf
|
||||||
when:
|
when:
|
||||||
- rhel9cis_rule_3_1_1 or
|
- sysctl_update
|
||||||
rhel9cis_rule_3_1_2 or
|
- not system_is_container
|
||||||
rhel9cis_rule_3_1_3 or
|
- "'procps-ng' in ansible_facts.packages"
|
||||||
rhel9cis_rule_3_2_1 or
|
|
||||||
rhel9cis_rule_3_2_2 or
|
|
||||||
rhel9cis_rule_3_3_1 or
|
|
||||||
rhel9cis_rule_3_3_2 or
|
|
||||||
rhel9cis_rule_3_3_3 or
|
|
||||||
rhel9cis_rule_3_3_4 or
|
|
||||||
rhel9cis_rule_3_3_5 or
|
|
||||||
rhel9cis_rule_3_3_6 or
|
|
||||||
rhel9cis_rule_3_3_7 or
|
|
||||||
rhel9cis_rule_3_3_8 or
|
|
||||||
rhel9cis_rule_3_3_9
|
|
||||||
tags:
|
|
||||||
- sysctl
|
|
||||||
|
|
||||||
- name: trigger update auditd
|
|
||||||
shell: /bin/true
|
|
||||||
args:
|
|
||||||
warn: false
|
|
||||||
notify: update auditd
|
|
||||||
changed_when: true
|
|
||||||
check_mode: false
|
|
||||||
when:
|
|
||||||
- rhel9cis_rule_4_1_1_1 or
|
|
||||||
rhel9cis_rule_4_1_1_2 or
|
|
||||||
rhel9cis_rule_4_1_1_3 or
|
|
||||||
rhel9cis_rule_4_1_2_1 or
|
|
||||||
rhel9cis_rule_4_1_2_2 or
|
|
||||||
rhel9cis_rule_4_1_2_3 or
|
|
||||||
rhel9cis_rule_4_1_3 or
|
|
||||||
rhel9cis_rule_4_1_4 or
|
|
||||||
rhel9cis_rule_4_1_5 or
|
|
||||||
rhel9cis_rule_4_1_6 or
|
|
||||||
rhel9cis_rule_4_1_7 or
|
|
||||||
rhel9cis_rule_4_1_8 or
|
|
||||||
rhel9cis_rule_4_1_9 or
|
|
||||||
rhel9cis_rule_4_1_10 or
|
|
||||||
rhel9cis_rule_4_1_11 or
|
|
||||||
rhel9cis_rule_4_1_12
|
|
||||||
tags:
|
|
||||||
- auditd
|
|
||||||
|
|
||||||
- name: flush handlers
|
- name: flush handlers
|
||||||
meta: flush_handlers
|
meta: flush_handlers
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue