RHEL9-CIS/tasks/section_4/cis_4.1.x.yml

---

- name: "4.1.3 | L2 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_3
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.3

- name: "4.1.4 | L2 | PATCH | Ensure login and logout events are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_4
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.4

- name: "4.1.5 | L2 | PATCH | Ensure session initiation information is collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_5
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.5

- name: "4.1.6 | L2 | PATCH | Ensure events that modify date and time information are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_6
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.6

- name: "4.1.7 | L2 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_7
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.7

- name: "4.1.8 | L2 | PATCH | Ensure events that modify the system's network environment are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_8
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.8

- name: "4.1.9 | L2 | PATCH | Ensure discretionary access control permission modification events are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_9
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.9

- name: "4.1.10 | L2 | PATCH | Ensure unsuccessful unauthorized file access attempts are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_10
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.10

- name: "4.1.11 | L2 | PATCH | Ensure events that modify user/group information are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_11
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.11

- name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected"
  block:
      - name: "4.1.12 | L2 | AUDIT | Ensure successful file system mounts are collected"
        shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
        changed_when: false
        failed_when: false
        check_mode: no
        register: priv_procs

      - name: "4.1.12 | L2 | PATCH | Ensure successful file system mounts are collected"
        debug:
          msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
        notify: update auditd
  when:
      - rhel9cis_rule_4_1_12
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.12

- name: "4.1.13 | L2 | PATCH | Ensure use of privileged commands is collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_13
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.13

- name: "4.1.14 | L2 | PATCH | Ensure file deletion events by users are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_14
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.14

- name: "4.1.15 | L2 | PATCH | Ensure kernel module loading and unloading is collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_15
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.15

- name: "4.1.16 | L2 | PATCH | Ensure system administrator actions (sudolog) are collected"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_16
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.16

- name: "4.1.17 | L2 | PATCH | Ensure the audit configuration is immutable"
  debug:
    msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  notify: update auditd
  when:
      - rhel9cis_rule_4_1_17
  tags:
      - level2-server
      - level2-workstation
      - auditd
      - patch
      - rule_4.1.17