sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

idempontency improvements

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2023-02-27 17:26:34 +00:00
parent 969ee917ba
commit 7459f1d445
No known key found for this signature in database
GPG key ID: 1DE02A772D0908F9
1 changed files with 11 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

16
tasks/section_4/cis_4.1.4.x.yml
View file

@ -8,7 +8,13 @@
block:
- name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file"
ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
register: audit_logfile
register: audit_discovered_logfile
changed_when: false
- name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file"
ansible.builtin.stat:
path: "{{ audit_discovered_logfile.stdout }}"
register: auditd_logfile
changed_when: false
- name: |
@ -16,8 +22,8 @@
"4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
ansible.builtin.file:
path: "{{ audit_logfile.stdout }}"
mode: 0640
path: "{{ audit_discovered_logfile.stdout }}"
mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}"
owner: root
group: root
when:
@ -37,12 +43,12 @@
block:
- name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions"
ansible.builtin.stat:
path: "{{ audit_logfile.stdout | dirname }}"
path: "{{ audit_discovered_logfile.stdout | dirname }}"
register: auditlog_dir
- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set"
ansible.builtin.file:
path: "{{ audit_logfile.stdout | dirname }}"
path: "{{ audit_discovered_logfile.stdout | dirname }}"
state: directory
mode: 0750
when: not auditlog_dir.stat.mode is match('07(0|5)0')