forked from ansible-lockdown/RHEL9-CIS
0f58436212
* change logic thanks to @rjacobs1990 see #175 * 1.2.1 force gpg import rhel * fix missing facts --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
183 lines
5.3 KiB
YAML
183 lines
5.3 KiB
YAML
---
|
|
|
|
- name: |
|
|
"4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
|
|
"4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
|
|
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
|
|
|
|
block:
|
|
- name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | discover file"
|
|
ansible.builtin.shell: grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'
|
|
changed_when: false
|
|
register: audit_discovered_logfile
|
|
|
|
- name: "4.1.4.1 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file"
|
|
ansible.builtin.stat:
|
|
path: "{{ audit_discovered_logfile.stdout }}"
|
|
changed_when: false
|
|
register: auditd_logfile
|
|
|
|
- name: |
|
|
"4.1.4.1 | PATCH | Ensure audit log files are mode 0640 or less permissive"
|
|
"4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
|
|
"4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
|
|
ansible.builtin.file:
|
|
path: "{{ audit_discovered_logfile.stdout }}"
|
|
mode: "{% if auditd_logfile.stat.mode != '0600' %}0640{% endif %}"
|
|
owner: root
|
|
group: root
|
|
when:
|
|
- rhel9cis_rule_4_1_4_1 or
|
|
rhel9cis_rule_4_1_4_2 or
|
|
rhel9cis_rule_4_1_4_3
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_4.1.4.1
|
|
- rule_4.1.4.2
|
|
- rule_4.1.4.3
|
|
|
|
- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive"
|
|
block:
|
|
- name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions"
|
|
ansible.builtin.stat:
|
|
path: "{{ audit_discovered_logfile.stdout | dirname }}"
|
|
register: auditlog_dir
|
|
|
|
- name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set"
|
|
ansible.builtin.file:
|
|
path: "{{ audit_discovered_logfile.stdout | dirname }}"
|
|
state: directory
|
|
mode: '0750'
|
|
when: not auditlog_dir.stat.mode is match('07(0|5)0')
|
|
when:
|
|
- rhel9cis_rule_4_1_4_4
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_4.1.4.4
|
|
|
|
- name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
mode: "{{ '0600' if item.mode == '0600' else '0640' }}"
|
|
loop: "{{ auditd_conf_files.files }}"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
when:
|
|
- rhel9cis_rule_4_1_4_5
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_4.1.4.5
|
|
|
|
- name: "4.1.4.6 | PATCH | Ensure audit configuration files are owned by root"
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
owner: root
|
|
loop: "{{ auditd_conf_files.files | default([]) }}"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
when:
|
|
- rhel9cis_rule_4_1_4_6
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_4.1.4.6
|
|
|
|
- name: "4.1.4.7 | PATCH | Ensure audit configuration files belong to group root"
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
group: root
|
|
loop: "{{ auditd_conf_files.files | default([]) }}"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
when:
|
|
- rhel9cis_rule_4_1_4_7
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_4.1.4.7
|
|
|
|
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive"
|
|
block:
|
|
- name: "4.1.4.8 | AUDIT | Get audit binary file stat | get current mode"
|
|
ansible.builtin.stat:
|
|
path: "{{ item }}"
|
|
register: "audit_bins"
|
|
loop:
|
|
- /sbin/auditctl
|
|
- /sbin/aureport
|
|
- /sbin/ausearch
|
|
- /sbin/autrace
|
|
- /sbin/auditd
|
|
- /sbin/augenrules
|
|
|
|
- name: "4.1.4.8 | PATCH | Ensure audit tools are 755 or more restrictive | set if required"
|
|
ansible.builtin.file:
|
|
path: "{{ item.item }}"
|
|
mode: '0750'
|
|
|
|
loop: "{{ audit_bins.results }}"
|
|
loop_control:
|
|
label: "{{ item.item }}"
|
|
when: not item.stat.mode is match('07(0|5)0')
|
|
when:
|
|
- rhel9cis_rule_4_1_4_8
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_4.1.4.8
|
|
|
|
- name: "4.1.4.9 | PATCH | Ensure audit tools are owned by root"
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
owner: root
|
|
group: root
|
|
loop:
|
|
- /sbin/auditctl
|
|
- /sbin/aureport
|
|
- /sbin/ausearch
|
|
- /sbin/autrace
|
|
- /sbin/auditd
|
|
- /sbin/augenrules
|
|
when:
|
|
- rhel9cis_rule_4_1_4_9
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_4.1.4.9
|
|
|
|
- name: "4.1.4.10 | PATCH | Ensure audit tools belong to group root"
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
group: root
|
|
loop:
|
|
- /sbin/auditctl
|
|
- /sbin/aureport
|
|
- /sbin/ausearch
|
|
- /sbin/autrace
|
|
- /sbin/auditd
|
|
- /sbin/augenrules
|
|
when:
|
|
- rhel9cis_rule_4_1_4_10
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_4.1.4.10
|