Added optional logrotate install and variable, improved 6.1.3.8 logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -1109,7 +1109,12 @@ ubtu24cis_journald_runtimekeepfree: "#RuntimeKeepFree="
 # ATTENTION: Uncomment the keyword below when values are set!
 ubtu24cis_journald_maxfilesec: "#MaxFileSec="
 
-# 6.1.3.8
+# 6.1.3.8 LOGRotate
+# Optional to alow logrotate to be installed
+# While it is required for 6.1.3.8 its not installed by default on minimal image
+# or required for CIS to be installed, but in order to achieve ability to install has been added
+ubtu24cis_logrotate_pkg_install: false
+
 # ubtu24cis_logrotate sets the daily, weekly, monthly, yearly value for the log rotation
 # To conform to CIS standards this just needs to comply with your site policy
 ubtu24cis_logrotate: "daily"

tasks/prelim.yml

@@ -256,3 +256,11 @@
     regexp: ^IPT_SYSCTL=.*
     line: IPT_SYSCTL=/etc/sysctl.conf
     mode: 'u-x,go-wx'
+
+- name: "OPTIONAL | PATCH | Install Logrotate if missing"
+  when:
+    - ubtu24cis_rule_6_1_3_8
+    - ubtu24cis_logrotate_pkg_install
+  ansible.builtin.package:
+    name: logrotate
+    state: present

tasks/section_6/cis_6.1.3.8.yml

@@ -1,7 +1,9 @@
 ---
 
 - name: "6.1.3.8 | PATCH | Ensure logrotate is configured"
-  when: ubtu24cis_rule_6_1_3_8
+  when:
+    - ubtu24cis_rule_6_1_3_8
+    - "'logrotate' in ansible_facts.packages"
   tags:
     - level1-server
     - level1-workstation