sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

firewall pkg control - prefer log capture

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-04-04 15:15:40 +01:00
parent adcc647dd4
commit 842b295ecf
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
3 changed files with 15 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

12
defaults/main.yml
View file

@ -476,17 +476,24 @@ rhel9cis_tftp_client: false
## Section3 vars ## Section3 vars
### Firewall Service - either firewalld, iptables, or nftables ### Firewall Service - either firewalld, iptables, or nftables
#### Some control allow for services to be removed or masked
#### The options are under each heading
#### absent = remove the package
#### masked = leave package if installed and mask the service
rhel9cis_firewall: firewalld rhel9cis_firewall: firewalld
##### firewalld ##### firewalld
rhel9cis_default_zone: public rhel9cis_default_zone: public
rhel9cis_firewalld_nftables_state: absent
#### nftables #### nftables
rhel9cis_nftables_firewalld_state: absent
rhel9cis_nft_tables_autonewtable: true rhel9cis_nft_tables_autonewtable: true
rhel9cis_nft_tables_tablename: filter rhel9cis_nft_tables_tablename: filter
rhel9cis_nft_tables_autochaincreate: true rhel9cis_nft_tables_autochaincreate: true
#### iptables #### iptables
rhel9cis_iptables_firewalld_state: absent
# Warning Banner Content (issue, issue.net, motd) # Warning Banner Content (issue, issue.net, motd)
rhel9cis_warning_banner: | rhel9cis_warning_banner: |
@ -508,6 +515,11 @@ rhel9cis_audit_back_log_limit: 8192
# The max_log_file parameter should be based on your sites policy # The max_log_file parameter should be based on your sites policy
rhel9cis_max_log_file_size: 10 rhel9cis_max_log_file_size: 10
## Preferred method of logging
## Whether rsyslog or journald preferred method for local logging
## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
rhel9cis_preferred_log_capture: rsyslog
#### 4.2.1.6 remote and destation log server name #### 4.2.1.6 remote and destation log server name
rhel9cis_remote_log_server: logagg.example.com rhel9cis_remote_log_server: logagg.example.com

3
tasks/section_4/cis_4.2.1.x.yml
View file

@ -29,7 +29,7 @@
- rsyslog - rsyslog
- rule_4.2.1.2 - rule_4.2.1.2
# This is counter to control 4.2.1.5?? # This is counter to control 4.2.2.5??
- name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog" - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
lineinfile: lineinfile:
dest: /etc/systemd/journald.conf dest: /etc/systemd/journald.conf
@ -38,6 +38,7 @@
state: present state: present
when: when:
- rhel9cis_rule_4_2_1_3 - rhel9cis_rule_4_2_1_3
- rhel9cis_preferred_log_capture == "rsyslog"
tags: tags:
- level1-server - level1-server
- level1-workstation - level1-workstation

1
tasks/section_4/cis_4.2.2.x.yml
View file

@ -137,6 +137,7 @@
notify: restart systemd_journal_upload notify: restart systemd_journal_upload
when: when:
- rhel9cis_rule_4_2_2_5 - rhel9cis_rule_4_2_2_5
- rhel9cis_preferred_log_capture == "journald"
tags: tags:
- level1-server - level1-server
- level2-workstation - level2-workstation