---

- name: "6.1.3.1 | PATCH | Ensure rsyslog is installed"
  when:
    - ubtu24cis_rule_6_1_3_1
    - "'rsyslog' not in ansible_facts.packages"
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - rule_6.1.3.1
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - rsyslog
    - apt
  ansible.builtin.package:
    name: rsyslog
    state: present

- name: "6.1.3.2 | PATCH | Ensure rsyslog service is enabled"
  when: ubtu24cis_rule_6_1_3_2
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - rule_6.1.3.2
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-7
    - NIST800-53R5_AU-12
    - rsyslog
  ansible.builtin.systemd:
    name: rsyslog
    enabled: true

- name: "6.1.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
  when: ubtu24cis_rule_6_1_3_3
  tags:
    - level1-server
    - level1-workstation
    - manual
    - patch
    - journald
    - rule_6.1.3.3
    - NIST800-53R5_AC-3
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-4
    - NIST800-53R5_AU-12
    - NIST800-53R5_MP-2
  ansible.builtin.lineinfile:
    path: /etc/systemd/journald.conf
    regexp: ^ForwardToSyslog=
    line: ForwardToSyslog=yes
  notify: Restart syslog service

- name: "6.1.3.4 | PATCH | Ensure rsyslog log file creation mode is configured"
  when: ubtu24cis_rule_6_1_3_4
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - rule_6.1.3.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_AC-6
    - NIST800-53R5_MP-2
    - rsyslog
  ansible.builtin.lineinfile:
    path: /etc/rsyslog.conf
    regexp: '^\$FileCreateMode|^#\$FileCreateMode'
    line: '$FileCreateMode 0640'
  notify: Restart syslog service

- name: "6.1.3.5 | PATCH | Ensure logging is configured"
  when: ubtu24cis_rule_6_1_3_5
  tags:
    - level1-server
    - level1-workstation
    - manual
    - patch
    - rule_6.1.3.5
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-7
    - NIST800-53R5_AU-12
    - rsyslog
  vars:
    warn_control_id: '6.1.3.5'
  block:
    - name: "6.1.3.5 | AUDIT | Ensure logging is configured | Find configuration file"
      ansible.builtin.shell: grep -r "*.emerg" /etc/* | cut -f1 -d":"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_rsyslog_config_path

    - name: "6.1.3.5 | AUDIT | Ensure logging is configured | Gather rsyslog current config"
      ansible.builtin.command: "cat {{ discovered_rsyslog_config_path.stdout }}"
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_rsyslog_config

    - name: "6.1.3.5 | AUDIT | Ensure logging is configured | Message out config"
      when: not ubtu24cis_rsyslog_ansible_managed
      ansible.builtin.debug:
        msg:
          - "Warning!! Below is the current logging configurations for rsyslog, please review"
          - "{{ discovered_rsyslog_config.stdout_lines }}"

    - name: "6.1.3.5 | PATCH | Ensure logging is configured | Set warning count"
      when: not ubtu24cis_rsyslog_ansible_managed
      ansible.builtin.import_tasks:
        file: warning_facts.yml

    - name: "6.1.3.5 | PATCH | Ensure logging is configured | Automated rsyslog configuration"
      when: ubtu24cis_rsyslog_ansible_managed
      ansible.builtin.lineinfile:
        path: "{{ discovered_rsyslog_config_path.stdout }}"
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        insertafter: "{{ item.insertafter }}"
      with_items:
        - { regexp: '^\*.emerg', line: '*.emerg                         :omusrmsg:*', insertafter: '^# Emergencies are sent to everybody logged in' }
        - { regexp: '^auth,authpriv.\*', line: 'auth,authpriv.*                  /var/log/secure', insertafter: '^# First some standard log files.  Log by facility' }
        - { regexp: '^mail.\*|^#mail.\*', line: 'mail.*                          -/var/log/mail', insertafter: '^# First some standard log files' }
        - { regexp: '^cron.\*|^#cron.\*', line: 'cron.*                          /var/log/cron', insertafter: '^# First some standard log files' }
        - { regexp: '^mail.info|^#mail.info', line: 'mail.info                      -/var/log/mail.info', insertafter: '^# Logging for the mail system' }
        - { regexp: '^mail.warn|^#mail.warn', line: 'mail.warning                   -/var/log/mail.warn', insertafter: '^# Logging for the mail system.' }
        - { regexp: '^mail.err|^#mail.err', line: 'mail.err                        /var/log/mail.err', insertafter: '^# Logging for the mail system.' }
        - { regexp: '^\*.=warning;\*.=err|^#\*.=warning;\*.=err', line: '*.=warning;*.=err               -/var/log/warn', insertafter: '^# First some standard log files' }
        - { regexp: '^\*.crit|^#\*.crit', line: '*.crit                           /var/log/warn', insertafter: '^# First some standard log files' }
        - { regexp: '^\*.\*;mail.none;news.none|^#\*.\*;mail.none;news.none', line: '*.*;mail.none;news.none         -/var/log/messages', insertafter: '^# First some standard log files' }
        - { regexp: '^local0,local1.\*|^#local0,local1.\*', line: 'local0,local1.*                 -/var/log/localmessages', insertafter: '^# First some standard log files' }
        - { regexp: '^local2,local3.\*|^#local2,local3.\*', line: 'local2,local3.*                 -/var/log/localmessages', insertafter: '^# First some standard log files' }
        - { regexp: '^local4,local5.\*|^#local4,local5.\*', line: 'local4,local5.*                 -/var/log/localmessages', insertafter: '^# First some standard log files' }
        - { regexp: '^local6,local7.\*|^#local6,local7.\*', line: 'local6,local7.*                 -/var/log/localmessages', insertafter: '^# First some standard log files' }
      loop_control:
        label: "{{ item.line }}"
      notify: Restart syslog service

- name: "6.1.3.6 | PATCH | Ensure rsyslog is configured to send logs to a remote log host"
  when:
    - ubtu24cis_rule_6_1_3_6
    - not ubtu24cis_system_is_log_server
  tags:
    - level1-server
    - level1-workstation
    - automated
    - patch
    - rule_6.1.3.6
    - NIST800-53R5_AU-6
    - rsyslog
  ansible.builtin.blockinfile:
    path: /etc/rsyslog.conf
    block: |
      ##Enable sending of logs over TCP add the following line:
      *.* @@{{ ubtu24cis_remote_log_server }}
    insertafter: EOF

- name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client"
  when: ubtu24cis_rule_6_1_3_7
  tags:
    - level1-server
    - level1-workstation
    - manual
    - patch
    - rule_6.1.3.7
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-7
    - NIST800-53R5_AU-12
    - NIST800-53R5_CM-6
    - rsyslog
  block:
    - name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When not a log host"
      when: not ubtu24cis_system_is_log_server
      ansible.builtin.replace:
        path: /etc/rsyslog.conf
        regexp: '({{ item }})'
        replace: '#\1'
      with_items:
        - '^(\$ModLoad|module(load="imtcp"))'
        - '^(\$(InputTCP|InputRELP|UDP)ServerRun|input(type="imtcp" port=".*"))'
      notify: Restart syslog service

    - name: "6.1.3.7 | PATCH | Ensure rsyslog is not configured to receive logs from a remote client | When a log server"
      when: ubtu24cis_system_is_log_server
      ansible.builtin.lineinfile:
        path: /etc/rsyslog.conf
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
      with_items:
        - { regexp: '^\$ModLoad|^#\$ModLoad', line: '$ModLoad imtcp' }
        - { regexp: '^\$InputTCPServerRun|^#\$InputTCPServerRun', line: '$InputTCPServerRun 514' }
      notify: Restart syslog service