From 5de8d4c5586c5a242b434e9bb8e7a26c93da4e7f Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 10 Jan 2025 15:33:10 +0000 Subject: [PATCH] Added optional logrotate install and variable, improved 6.1.3.8 logic Signed-off-by: Mark Bolwell --- defaults/main.yml | 7 ++++++- tasks/prelim.yml | 8 ++++++++ tasks/section_6/cis_6.1.3.8.yml | 4 +++- 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 6c2af85..d37ae5e 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1109,7 +1109,12 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree=" # ATTENTION: Uncomment the keyword below when values are set! ubtu24cis_journald_maxfilesec: "#MaxFileSec=" -# 6.1.3.8 +# 6.1.3.8 LOGRotate +# Optional to alow logrotate to be installed +# While it is required for 6.1.3.8 its not installed by default on minimal image +# or required for CIS to be installed, but in order to achieve ability to install has been added +ubtu24cis_logrotate_pkg_install: false + # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation # To conform to CIS standards this just needs to comply with your site policy ubtu24cis_logrotate: "daily" diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 05c725c..74ee0c7 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -256,3 +256,11 @@ regexp: ^IPT_SYSCTL=.* line: IPT_SYSCTL=/etc/sysctl.conf mode: 'u-x,go-wx' + +- name: "OPTIONAL | PATCH | Install Logrotate if missing" + when: + - ubtu24cis_rule_6_1_3_8 + - ubtu24cis_logrotate_pkg_install + ansible.builtin.package: + name: logrotate + state: present diff --git a/tasks/section_6/cis_6.1.3.8.yml b/tasks/section_6/cis_6.1.3.8.yml index 932801e..1c68890 100644 --- a/tasks/section_6/cis_6.1.3.8.yml +++ b/tasks/section_6/cis_6.1.3.8.yml @@ -1,7 +1,9 @@ --- - name: "6.1.3.8 | PATCH | Ensure logrotate is configured" - when: ubtu24cis_rule_6_1_3_8 + when: + - ubtu24cis_rule_6_1_3_8 + - "'logrotate' in ansible_facts.packages" tags: - level1-server - level1-workstation