From e69c18fa1c94652ef95ebc6d57e4196e0229b28c Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 10 Jan 2025 13:16:56 +0000
Subject: [PATCH] improved audit handler and related rules

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 handlers/main.yml               | 4 +---
 tasks/prelim.yml                | 2 +-
 tasks/section_6/cis_6.2.3.x.yml | 1 +
 3 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index e3a9c38..64b0aad 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -237,9 +237,7 @@
   changed_when: true
 
 - name: Auditd rules reload
-  when:
-    - not prelim_auditd_immutable_check or
-      '"No change" not in ubtu24cis_rule_6_2_3_21_grep -iR augen_check.stdout'
+  when: ('"No change" not in discovered_augenrules_check.stdout') or prelim_auditd_immutable_check.rc == 1
   ansible.builtin.command: augenrules --load
   changed_when: true
 
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index eba0b21..05c725c 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -218,7 +218,7 @@
 - name: "PRELIM | AUDIT | Check if auditd is immutable before changes"
   when: "'auditd' in ansible_facts.packages"
   tags: always
-  ansible.builtin.shell: auditctl -l | grep -c '-e 2'
+  ansible.builtin.shell: auditctl -s | grep "enabled 2"
   changed_when: false
   failed_when: prelim_auditd_immutable_check.rc not in [ 0, 1 ]
   register: prelim_auditd_immutable_check
diff --git a/tasks/section_6/cis_6.2.3.x.yml b/tasks/section_6/cis_6.2.3.x.yml
index 58db7d6..dbcbfa4 100644
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@@ -277,3 +277,4 @@
     - auditd
   ansible.builtin.command: augenrules --check
   changed_when: false
+  register: discovered_augenrules_check