---

- name: "4.1.1.1 | PATCH | Ensure auditd is installed"
  block:
      - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
        ansible.builtin.package:
            name: audit
            state: present
        when: '"auditd" not in ansible_facts.packages'

      - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
        ansible.builtin.package:
            name: audit-libs
            state: present
        when: '"auditd-lib" not in ansible_facts.packages'
  when:
      - rhel9cis_rule_4_1_1_1
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.1.1

- name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
  block:
      - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value"
        ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel9cis_4_1_1_2_grubby_curr_value_audit_linux

      - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed"
        ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
        when:
            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1
  when:
      - rhel9cis_rule_4_1_1_2
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - grub
      - rule_4.1.1.2

- name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
  block:
      - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value"
        ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux

      - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update, if needed"
        ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"
        when:
            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit
  when:
      - rhel9cis_rule_4_1_1_3
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - grub
      - rule_4.1.1.3

- name: "4.1.1.4 | PATCH | Ensure auditd service is enabled"
  ansible.builtin.systemd:
      name: auditd
      state: started
      enabled: true
  when:
      - rhel9cis_rule_4_1_1_4
  tags:
      - level2-server
      - level2-workstation
      - patch
      - auditd
      - rule_4.1.1.4