--- - name: "4.2.2.1.1 | PATCH | Ensure systemd-journal-remote is installed" ansible.builtin.package: name: systemd-journal-remote state: present when: - rhel9cis_rule_4_2_2_1_1 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.1.1 - name: "4.2.2.1.2 | PATCH | Ensure systemd-journal-remote is configured" ansible.builtin.lineinfile: path: /etc/systemd/journal-upload.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: Restart journald loop: - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'} - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'} - { regexp: 'ServerCertificateFile=', line: 'ServerCertificateFile={{ rhel9cis_journal_servercertificatefile }}'} - { regexp: 'TrustedCertificateFile=', line: 'TrustedCertificateFile={{ rhel9cis_journal_trustedcertificatefile }}'} when: - rhel9cis_rule_4_2_2_1_2 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.1.2 - name: "4.2.2.1.3 | PATCH | Ensure systemd-journal-remote is enabled" ansible.builtin.systemd: name: systemd-journal-upload state: started enabled: true when: - rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_3 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.1.3 - name: "4.2.2.1.4 | PATCH | Ensure journald is not configured to recieve logs from a remote client" ansible.builtin.systemd: name: systemd-journal-remote.socket state: stopped enabled: false masked: true when: - not rhel9cis_system_is_log_server - rhel9cis_rule_4_2_2_1_4 tags: - level1-server - level1-workstation - patch - journald - rule_4.2.2.1.4 - name: "4.2.2.2 | PATCH | Ensure journald service is enabled" block: - name: "4.2.2.2 | PATCH | Ensure journald service is enabled | Enable service" ansible.builtin.systemd: name: systemd-journald state: started enabled: true - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Capture status" ansible.builtin.shell: systemctl is-enabled systemd-journald.service changed_when: false failed_when: false register: rhel9cis_4_2_2_2_status - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Alert on bad status" ansible.builtin.debug: msg: - "Warning!! The status of systemd-journald should be static and it is not. Please investigate" when: "'static' not in rhel9cis_4_2_2_2_status.stdout" - name: "4.2.2.2 | AUDIT | Ensure journald service is enabled | Warn Count" ansible.builtin.import_tasks: warning_facts.yml when: "'static' not in rhel9cis_4_2_2_2_status.stdout" vars: warn_control_id: '4.2.2.2' when: - rhel9cis_rule_4_2_2_2 tags: - level1-server - level1-workstation - audit - journald - rule_4.2.2.2 - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files" ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#Compress=|^Compress=" line: Compress=yes notify: Restart journald when: - rhel9cis_rule_4_2_2_3 tags: - level1-server - level1-workstation - patch - journald - rule_4.2.2.3 - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk" ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^#Storage=|^Storage=" line: Storage=persistent notify: Restart journald when: - rhel9cis_rule_4_2_2_4 tags: - level1-server - level1-workstation - patch - journald - rule_4.2.2.4 # This is counter to control 4.2.1.3?? - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog" ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "^ForwardToSyslog=" line: "#ForwardToSyslog=yes" notify: Restart journald when: - rhel9cis_rule_4_2_2_5 tags: - level1-server - level2-workstation - manual - patch - journald - rule_4.2.2.5 - name: "4.2.2.6 | PATCH | Ensure journald log rotation is configured per site policy" ansible.builtin.lineinfile: path: /etc/systemd/journald.conf regexp: "{{ item.regexp }}" line: "{{ item.line }}" notify: Restart journald loop: - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'} - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' } - { regexp: '^#RuntimeMaxUse=|^RuntimeMaxUse=', line: 'RuntimeMaxUse={{ rhel9cis_journald_runtimemaxuse }}'} - { regexp: '^#RuntimeKeepFree=|^RuntimeKeepFree=', line: 'RuntimeKeepFree={{ rhel9cis_journald_runtimekeepfree }}'} - { regexp: '^#MaxFileSec=|^MaxFileSec=', line: 'MaxFileSec={{ rhel9cis_journald_maxfilesec }}'} when: - rhel9cis_rule_4_2_2_6 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.6 - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured" block: - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Check for override file" ansible.builtin.stat: path: /etc/tmpfiles.d/systemd.conf register: rhel9cis_4_2_2_7_override - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file" ansible.builtin.set_fact: systemd_conf_file: /etc/tmpfiles.d/systemd.conf when: rhel9cis_4_2_2_7_override.stat.exists - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission" ansible.builtin.lineinfile: path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}" regexp: '^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root' line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -' when: - rhel9cis_rule_4_2_2_7 tags: - level1-server - level1-workstation - manual - patch - journald - rule_4.2.2.7