---

- name: "6.2.1.1 | PATCH | Ensure auditd packages are installed"
  when:
    - ubtu24cis_rule_6_2_1_1
    - "'auditd' not in ansible_facts.packages or
      'audispd-plugins' not in ansible_facts.packages"
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_6.2.1.1
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - NIST800-53R5_SI-5
    - auditd
  ansible.builtin.package:
    name: ['auditd', 'audispd-plugins']
    state: present

- name: "6.2.1.2 | PATCH | Ensure auditd service is enabled and active"
  when: ubtu24cis_rule_6_2_1_2
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_6.2.1.2
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - auditd
  ansible.builtin.systemd:
    name: auditd
    state: started
    enabled: true
    masked: false

- name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
  when: ubtu24cis_rule_6_2_1_3
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_6.2.1.3
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - auditd
  block:
    - name: "6.2.1.3 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
      ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"'
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_grub_cmdline_settings

    - name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add setting if doesn't exist"
      when: "'audit=' not in discovered_grub_cmdline_settings.stdout"
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: '^GRUB_CMDLINE_LINUX='
        line: 'GRUB_CMDLINE_LINUX="{{ discovered_grub_cmdline_settings.stdout }} audit=1"'
      notify: Grub update

    - name: "6.2.1.3 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Update setting if exists"
      when: "'audit=' in discovered_grub_cmdline_settings.stdout"
      ansible.builtin.replace:
        dest: /etc/default/grub
        regexp: 'audit=([0-9]+)'
        replace: 'audit=1'
        after: '^GRUB_CMDLINE_LINUX="'
        before: '"'
      notify: Grub update

- name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient"
  when: ubtu24cis_rule_6_2_1_4
  tags:
    - level2-server
    - level2-workstation
    - patch
    - rule_6.2.1.4
    - NIST800-53R5_AU-2
    - NIST800-53R5_AU-3
    - NIST800-53R5_AU-12
    - auditd
  block:
    - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Get current GRUB_CMDLINE_LINUX"
      ansible.builtin.shell: grep "GRUB_CMDLINE_LINUX=" /etc/default/grub | cut -f2 -d'"'
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_audit_backlog_grub_cmdline_settings

    - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Add setting if doesn't exist"
      when: "'audit_backlog_limit=' not in discovered_audit_backlog_grub_cmdline_settings.stdout"
      ansible.builtin.lineinfile:
        path: /etc/default/grub
        regexp: '^GRUB_CMDLINE_LINUX='
        line: 'GRUB_CMDLINE_LINUX="{{ discovered_audit_backlog_grub_cmdline_settings.stdout }} audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}"'
      notify: Grub update

    - name: "6.2.1.4 | PATCH | Ensure audit_backlog_limit is sufficient | Update setting if exists"
      ansible.builtin.replace:
        dest: /etc/default/grub
        regexp: 'audit_backlog_limit=([0-9]+)'
        replace: 'audit_backlog_limit={{ ubtu24cis_audit_back_log_limit }}'
        after: '^GRUB_CMDLINE_LINUX="'
        before: '"'
      notify: Grub update