---

- name: "6.3.1.1 | PATCH | Ensure auditd is installed"
  when: rhel9cis_rule_6_3_1_1
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.1.1
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
  block:
    - name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
      when: '"auditd" not in ansible_facts.packages'
      ansible.builtin.package:
        name: audit
        state: present

    - name: "6.3.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
      when: '"auditd-lib" not in ansible_facts.packages'
      ansible.builtin.package:
        name: audit-libs
        state: present

- name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
  when: rhel9cis_rule_6_3_1_2
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - grub
    - rule_6.3.1.2
  block:
    - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value"
      ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p'
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_grubby_curr_value_audit_linux

    - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed"
      when:
        - discovered_grubby_curr_value_audit_linux.stdout == '' or
          '0' in discovered_grubby_curr_value_audit_linux.stdout or
          'off' in discovered_grubby_curr_value_audit_linux.stdout|lower
      ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1"
      changed_when: true

- name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
  when: rhel9cis_rule_6_3_1_3
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - grub
    - rule_6.3.1.3
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
  block:
    - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value"
      ansible.builtin.shell:
        cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"'
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_grubby_curr_value_backlog_linux

    - name: "6.3.1.3 | AUDIT | Check to see if limits are set"
      when:
        - discovered_grubby_curr_value_backlog_linux is not defined or
          discovered_grubby_curr_value_backlog_linux.stdout_lines == []
      ansible.builtin.set_fact:
        discovered_reset_backlog_limits: true

    - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
      when: (item | int < rhel9cis_audit_back_log_limit)
      ansible.builtin.set_fact:
        discovered_reset_backlog_limits: true
      loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}"

    - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
      when: discovered_reset_backlog_limits is defined
      ansible.builtin.command:
        cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
      changed_when: true

- name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
  when: rhel9cis_rule_6_3_1_4
  tags:
    - level2-server
    - level2-workstation
    - patch
    - auditd
    - rule_6.3.1.4
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
  ansible.builtin.systemd:
    name: auditd
    state: started
    enabled: true