colin
/
UBUNTU24-CIS
mirror of https://github.com/ansible-lockdown/UBUNTU24-CIS.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

improved audit handler and related rules 

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2025-01-10 13:16:56 +00:00
parent 6e78559776
commit e69c18fa1c
No known key found for this signature in database
GPG Key ID: 997FF7FE93AEB5B9
3 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
handlers/main.yml
View File

@ -237,9 +237,7 @@
changed_when: true
- name: Auditd rules reload
when:
- not prelim_auditd_immutable_check or
'"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
ansible.builtin.command: augenrules --load
changed_when: true

2
tasks/prelim.yml
View File

@ -218,7 +218,7 @@
- name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
when: "'auditd' in ansible_facts.packages"
tags: always
ansible.builtin.shell: auditctl -l | grep -c '-e 2'
ansible.builtin.shell: auditctl -s | grep "enabled 2"
changed_when: false
failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
register: prelim_auditd_immutable_check

1
tasks/section_6/cis_6.2.3.x.yml
View File

@ -277,3 +277,4 @@
- auditd
ansible.builtin.command: augenrules --check
changed_when: false
register: discovered_augenrules_check