---

- name: "6.1.1.1 | PATCH | Ensure journald service is enabled and active"
  when:
    - ubtu24cis_rule_6_1_1_1
  tags:
    - level1-server
    - level1-workstation
    - audit
    - journald
    - rule_6.1.1.1
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-7
    - NIST800-53R5_AU-12
  ansible.builtin.systemd:
    name: systemd-journald.service
    masked: false
    state: started

- name: "6.1.1.2 | PATCH | Ensure journald log file access is configured"
  when:
    - ubtu24cis_rule_6_1_1_2
  tags:
    - level1-server
    - level1-workstation
    - audit
    - journald
    - rule_6.1.1.2
    - NIST800-53R5_AC-3
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-12
    - NIST800-53R5_MP-2
    - NIST800-53R5_SI-5
  block:
    - name: "6.1.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions"
      ansible.builtin.file:
        path: /usr/lib/tmpfiles.d/systemd.conf
        mode: 'g-wx,o-rwx'

    - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
      ansible.builtin.stat:
        path: /etc/tmpfiles.d/systemd.conf
      register: discovered_journald_tmpfile_override

    - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | If override file check for journal"
      when: discovered_journald_tmpfile_override.stat.exists
      ansible.builtin.shell: grep -E 'z /var/log/journal/%m/system.journal \d*' /usr/lib/tmpfiles.d/systemd.conf
      changed_when: false
      failed_when: discovered_journald_fileperms_override.rc not in [ 0, 1 ]
      register: discovered_journald_fileperms_override

    - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
      when:
        - discovered_journald_tmpfile_override.stat.exists
        - discovered_journald_fileperms_override.stdout | length > 0
      ansible.builtin.debug:
        msg: "Warning!! - tmpfiles override found /usr/lib/tmpfiles.d/systemd.conf affecting journald files please confirm matches site policy"

    - name: "6.1.1.2 | AUDIT | Ensure journald log file access is configured | Warning if override found"
      when:
        - discovered_journald_tmpfile_override.stat.exists
        - discovered_journald_fileperms_override.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml
      vars:
        warn_control_id: '6.1.1.2'

- name: "6.1.1.3 | PATCH | Ensure journald log file rotation is configured"
  when:
    - ubtu24cis_rule_6_1_1_3
  tags:
    - level1-server
    - level1-workstation
    - patch
    - journald
    - rule_6.1.1.3
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-7
    - NIST800-53R5_AU-12
  notify: Restart journald
  block:
    - name: "6.1.1.3 | PATCH | Ensure journald log file rotation is configured | Add file"
      ansible.builtin.template:
        src: etc/systemd/journald.conf.d/rotation.conf.j2
        dest: /etc/systemd/journald.conf.d/rotation.conf
        owner: root
        group: root
        mode: 'g-wx,o-rwx'

    - name: "6.1.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries"
      ansible.builtin.replace:
        path: /etc/systemd/journald.conf
        regexp: "{{ item }}"
        replace: '#\1'
      loop:
        - '^(\s*SystemMaxUse\s*=.*)'
        - '^(\s*SystemKeepFree\s*=.*)'
        - '^(\s*RuntimeMaxUse\s*=)'
        - '^(\s*RuntimeKeepFree\s*=.*)'
        - '^(\s*MaxFileSec\s*=.*)'