--- - name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" package: name: systemd-journal-remote state: present when: - rhel9cis_rule_4_2_2_1_1 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.1.1 - name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: restart systemd_journal_upload with_items: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'} when: - rhel9cis_rule_4_2_2_1_2 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.1.2 - name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" systemd: name: systemd-journal-upload state: started enabled: true when: - rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_3 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.1.3 - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" systemd: name: systemd-journal-remote.socket state: stopped enabled: false masked: true when: - not rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_4 tags: - level1-server - level1-workstation - automated - patch - journald - rule_4.2.2.1.4 - name: "4.2.2.2 | PATCH | Ensure journald service is enabled" block: - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" systemd: name: systemd-journald state: started enabled: true - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" shell: systemctl is-enabled systemd-journald.service changed_when: false failed_when: false register: rhel9cis_4_2_2_2_status - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" debug: msg: - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.2' ]" warn_count: "{{ warn_count | int + 1 }}" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" when: - rhel9cis_rule_4_2_2_2 tags: - level1-server - level1-workstation - automated - audit - journald - rule_4.2.2.2 - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" lineinfile: path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes when: - rhel9cis_rule_4_2_2_3 tags: - level1-server - level1-workstation - automated - patch - journald - rule_4.2.2.3 - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" lineinfile: path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent when: - rhel9cis_rule_4_2_2_4 tags: - level1-server - level1-workstation - automated - patch - journald - rule_4.2.2.4 # This is counter to control 4.2.1.3?? - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" lineinfile: path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" notify: restart systemd_journal_upload when: - rhel9cis_rule_4_2_2_5 tags: - level1-server - level2-workstation - manual - patch - journald - rule_4.2.2.5 - name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" lineinfile: path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: restart journald with_items: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'} - { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}'} - { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel9cis_journald_maxfilesec }}'} when: - rhel9cis_rule_4_2_2_6 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.6 - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" block: - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" find: paths: /etc/tmpfiles.d patterns: systemd.conf register: rhel9cis_4_2_2_7_override_status - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get override file settings" shell: cat /etc/tmpfiles.d/systemd.conf changed_when: false failed_when: false register: rhel9cis_4_2_2_7_override_settings when: rhel9cis_4_2_2_7_override_status.matched >= 1 - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Get non-override file settings" shell: cat /usr/lib/tmpfiles.d/systemd.conf changed_when: false failed_when: false register: rhel9cis_4_2_2_7_notoverride_settings when: rhel9cis_4_2_2_7_override_status.matched == 0 - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Display file settings" debug: msg: - "Warning!! Below are the current default settings for journald, please confirm they align with your site policies" - "{{ (rhel9cis_4_2_2_7_override_status.matched >= 1) | ternary(rhel9cis_4_2_2_7_override_settings.stdout_lines, rhel9cis_4_2_2_7_notoverride_settings.stdout_lines) }}" - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Warn Count" set_fact: control_number: "{{ control_number }} + [ 'rule_4.2.2.7' ]" warn_count: "{{ warn_count | int + 1 }}" when: - rhel9cis_rule_4_2_2_7 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.7