From 6d2c9e67e91fd06bb466cc72f93db83e591b7c7b Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Tue, 6 Aug 2024 17:28:39 +0100
Subject: [PATCH] Added new options rsyslog logrotate

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 defaults/main.yml                         | 17 +++++++++
 tasks/section_6/cis_6.2.3.x.yml           | 44 ++++++-----------------
 templates/etc/logrotate.d/rsyslog.conf.j2 | 11 ++++++
 3 files changed, 38 insertions(+), 34 deletions(-)
 create mode 100644 templates/etc/logrotate.d/rsyslog.conf.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index dc5d401..2029bd4 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1118,6 +1118,23 @@ rhel9cis_remote_log_retrycount: 100
 # of rsyslog forwarding must be enabled('rhel9cis_remote_log_server: true').
 rhel9cis_remote_log_queuesize: 1000
 
+## Control 6.2.3.8 rsyslog log rotate option
+# These variable allow you to change accordint to site policy settings
+# When to rotate options: hourly, daily, weekly, monthly, yearly
+rhel9cis_rsyslog_logrotate_rotated: weekly
+# Number of backlog files to keep
+rhel9cis_rsyslog_logrotate_keep: 4
+# compress file once rotated, false will not compress
+rhel9cis_rsyslog_logrotate_compress: true
+# If the log file is missing, go on to the next one without issuing an error message
+rhel9cis_rsyslog_logrotate_missingok:
+# Dont rotate file if has no contents, false will still rotate
+rhel9cis_rsyslog_logrotate_notifempty: true
+# rhel9cis_rsyslog_logrotate_create give the options to create permissions and ownerships
+# allows create iption to be used and sets options below based on mode owner group
+rhel9cis_rsyslog_logrotate_create: false
+rhel9cis_rsyslog_logrotate_create_opts: 0640 root root
+
 ## Control 6.2.2.1.2 - Ensure systemd-journal-remote is configured
 # 'rhel9cis_journal_upload_url' is the ip address to upload the journal entries to
 #  URL value may specify either just the hostname or both the protocol and hostname. 'https' is the default. The port
diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml
index 7e4dadc..86cef8a 100644
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@@ -237,7 +237,7 @@
         - 'ModLoad imtcp'
         - 'InputTCPServerRun'
 
-- name: "6.2.3.8 | PATCH | Ensure logrotate is configured"
+- name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured"
   when:
     - rhel9cis_rule_6_2_3_8
   tags:
@@ -249,45 +249,21 @@
     - rule_6.2.3.8
     - NIST800-53R5_AU-8
   block:
-    - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | installed"
+    - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured | installed"
       ansible.builtin.package:
         name: rsyslog-logrotate
         state: present
 
-    - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | scheduled"
+    - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured | scheduled"
       ansible.builtin.systemd:
         name: logrotate.timer
         state: started
         enabled: true
 
-    - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set default conf"
-      ansible.builtin.replace:
-        path: "/etc/logrotate.conf"
-        regexp: '^(\s*)(daily|weekly|monthly|yearly)$'
-        replace: "\\1{{ rhel9cis_logrotate }}"
-
-    - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | Get non default logrotate settings"
-      ansible.builtin.find:
-        paths: /etc/logrotate.d/
-        contains: '^(\s*)(?!{{ rhel9cis_logrotate }})(daily|weekly|monthly|yearly)$'
-      register: log_rotates
-
-    - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured"
-      when: log_rotates.matched > 0
-      vars:
-        warn_control_id: '6.2.3.8'
-      block:
-        - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | generate file list"
-          ansible.builtin.set_fact:
-            logrotate_non_def_conf: "{{ log_rotates.files | map(attribute='path') | join (', ') }}"
-
-        - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | List configured files"
-          ansible.builtin.debug:
-            msg: |
-              "Warning!! The following files are not covered by default logrotate settings ensure they match site policy"
-              "{{ logrotate_non_def_conf }}"
-          loop: "{{ log_rotates.files }}"
-
-        - name: "6.2.3.8 | AUDIT | Ensure logrotate is configured | Warning count"
-          ansible.builtin.import_tasks:
-            file: warning_facts.yml
+    - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
+      ansible.builtin.template:
+        src: etc/logrotate.d/rsyslog.conf.j2
+        dest:  /etc/logrotate.d/rsyslog.conf
+        owner: root
+        group: root
+        mode: '0640'
diff --git a/templates/etc/logrotate.d/rsyslog.conf.j2 b/templates/etc/logrotate.d/rsyslog.conf.j2
new file mode 100644
index 0000000..2423b24
--- /dev/null
+++ b/templates/etc/logrotate.d/rsyslog.conf.j2
@@ -0,0 +1,11 @@
+/var/log/rsyslog/*.log {
+    {{ rhel9cis_rsyslog_logrotate_rotated }}
+    rotate {{ rhel9cis_rsyslog_logrotate_keep }}
+    {% if rhel9cis_rsyslog_logrotate_compress %}compress{% else %}nocompress{% endif %}
+    {% if rhel9cis_rsyslog_logrotate_missingok %}missingok{% else %}missingok{% endif %}
+    {% if rhel9cis_rsyslog_logrotate_notifempty %}notifempty{% else %}ifempty{% endif %}
+    {% if rhel9cis_rsyslog_logrotate_create %}create {{ rhel9cis_rsyslog_logrotate_create_opts }}{% endif %}
+    postrotate
+        /usr/bin/systemctl reload rsyslog.service >/dev/null || true
+    endscript
+}