--- - name: "4.3 | PATCH | Ensure logrotate is configured" block: - name: "4.3 | PATCH | Ensure logrotate is configured | installed" ansible.builtin.package: name: rsyslog-logrotate state: present - name: "4.3 | PATCH | Ensure logrotate is configured | scheduled" ansible.builtin.systemd: name: logrotate.timer state: started enabled: true - name: "4.3 | PATCH | Ensure logrotate is configured | set default conf" ansible.builtin.replace: path: "/etc/logrotate.conf" regexp: '^(\s*)(daily|weekly|monthly|yearly)$' replace: "\\1{{ rhel9cis_logrotate }}" - name: "4.3 | AUDIT | Ensure logrotate is configured | Get non default logrotate settings" ansible.builtin.find: paths: /etc/logrotate.d/ contains: '^(\s*)(?!{{ rhel9cis_logrotate }})(daily|weekly|monthly|yearly)$' register: log_rotates - name: "4.3 | AUDIT | Ensure logrotate is configured" block: - name: "4.3 | AUDIT | Ensure logrotate is configured | generate file list" ansible.builtin.set_fact: logrotate_non_def_conf: "{{ log_rotates.files | map(attribute='path') | join (', ') }}" - name: "4.3 | AUDIT | Ensure logrotate is configured | List configured files" ansible.builtin.debug: msg: | "Warning!! The following files are not covered by default logrotate settings ensure they match site policy" "{{ logrotate_non_def_conf }}" loop: "{{ log_rotates.files }}" - name: "4.3 | AUDIT | Ensure logrotate is configured | Warning count" ansible.builtin.import_tasks: file: warning_facts.yaml vars: warn_control_id: '4.3' when: log_rotates.matched > 0 when: - rhel9cis_rule_4_3 tags: - level1-server - level1-workstation - manual - patch - logrotate - rule_4.3